# Install ghalint with Homebrew, Nix

GitHub Actions linter. Version 1.5.6 via Homebrew; verified 2026-06-07.

## Install

```sh
sudo av install brew:ghalint
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install ghalint
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#ghalint
```

  Evidence: nixpkgs package indexes: pkgs/by-name/gh/ghalint/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:ghalint
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/ghalint>
- **Version:** 1.5.6
- **Source summary:** GitHub Actions linter
- **Homepage:** <https://github.com/suzuki-shunsuke/ghalint>
- **Repository:** <https://github.com/suzuki-shunsuke/ghalint>
- **Upstream docs:** <https://github.com/suzuki-shunsuke/ghalint#readme>
- **License:** MIT
- **Source archive:** <https://github.com/suzuki-shunsuke/ghalint/archive/refs/tags/v1.5.6.tar.gz>
- **Last updated:** 2026-06-07T13:07:14+09:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- ghalint (cli)
- ghalint (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.5.6
- Package-manager updated: 2026-06-07
- Local data: ok
- Upstream repository: https://github.com/suzuki-shunsuke/ghalint
- Upstream latest detected: v1.5.6 (current)
## Project history and usage

ghalint is a Go command-line linter for GitHub Actions workflow files and action metadata. It turns a small set of CI security practices into repeatable checks that can fail a build before a workflow grants broad permissions, exposes secrets through environment variables, or depends on mutable third-party action references.

### Project history

Shunsuke Suzuki published the first ghalint releases in January 2023. The README describes the tool as a linter for GitHub Actions security best practices, and its policy documents show the early focus: explicit job permissions, avoiding broad read-all or write-all permissions, limiting inherited secrets, and pinning actions to full-length commit SHAs.

The project later documented a port to the lintnet module ecosystem, connecting ghalint's original GitHub Actions rule set with a broader Jsonnet-powered linting framework. That migration path suggests the project became both a standalone binary and a policy corpus that could be reused by another linter.

### Adoption history

ghalint is a niche security tool rather than a general CI parser. Its adoption path is package-manager friendly: the official install guide lists Homebrew, Scoop, aqua, mise, GitHub Releases, and `go install`, while Homebrew exposes it as a one-command formula. That distribution pattern fits teams that want a small CI hardening check without installing a larger platform.

### How it is used

Practitioners run `ghalint run` from a repository root to inspect workflow files under `.github/workflows`, or `ghalint run-action` for `action.yaml` and `action.yml` files. A `ghalint.yaml` configuration file can disable selected policies for named workflows, jobs, or actions when a repository has an intentional exception.

### Why package nerds care

For package maintainers, ghalint is notable because it packages CI supply-chain advice as a fast local executable. It complements tools such as actionlint by concentrating on security posture: minimum permissions, safe secret handling, pinned action references, and checkout credential handling.

### Timeline

- 2023: v0.1.0 was published on GitHub Releases.
- 2023: Early policy docs covered job permissions, workflow secrets, inherited secrets, and immutable action references.
- After 2023: The README documented a ghalint module for lintnet.

### Related projects

- lintnet reuses the ghalint policy domain in a general-purpose Jsonnet linter.
- pinact is referenced by ghalint documentation as a helper for converting GitHub Actions tags to full-length commit SHAs.

### Sources

- <https://formulae.brew.sh/formula/ghalint>
- <https://github.com/suzuki-shunsuke/ghalint>
- <https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/install.md>
- <https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/001.md>
- <https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md>
- <https://github.com/suzuki-shunsuke/ghalint/releases/tag/v0.1.0>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** ghalint
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - ghalint: normalized package name match | nixpkgs package indexes: pkgs/by-name/gh/ghalint/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [bandit](https://www.automicvault.com/pkg/brew/bandit/) - Shares av.db curated category or tags: cli, linter, security, static-analysis.
- [ratchet](https://www.automicvault.com/pkg/brew/ratchet/) - Shares av.db curated category or tags: ci-cd, cli, security.
- [caracal](https://www.automicvault.com/pkg/brew/caracal/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [gosec](https://www.automicvault.com/pkg/brew/gosec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [joern](https://www.automicvault.com/pkg/brew/joern/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [noir](https://www.automicvault.com/pkg/brew/noir/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [raven](https://www.automicvault.com/pkg/brew/raven/) - Security-sensitive metadata or terminology overlaps. Shared terms: actions, analysis, ci-cd, cli, github.

## Combined YAML source

View the package source record on GitHub. [combined/ghalint.yml](https://github.com/automic-vault/db/blob/main/combined/ghalint.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
