GitHub Action
The bundled composite Action and its typed inputs.
The zmaril/straitjacket GitHub Action downloads the prebuilt binary and runs it
over your repo in one self-contained pass. It fails the job on any error-level
finding, and by default uploads its findings to GitHub code scanning as SARIF
(annotations on the PR diff). For a walkthrough see
Add Straitjacket to CI; this page is the input reference.
Usage
permissions:
security-events: write # so the default SARIF upload can post annotations
contents: read
steps:
- uses: actions/checkout@v4
- uses: zmaril/straitjacket@v0.2.3
with:
version: "v0.2.3" # pin the scanner too — see the note below
paths: "src tests"
skip: "motion,slop-prose"Pin the full version on both the uses: line (@v0.2.3, the Action wrapper)
and the version: input (v0.2.3, the scanner binary). Left unset, version
defaults to latest, so a new release applies its new rules the moment it ships —
failing an unrelated PR on a rule you never opted into. Bump both, deliberately.
Inputs
Each input is optional and maps to a CLI flag. Blanks fall back to Straitjacket's own defaults.
| input | default | maps to |
|---|---|---|
version | latest | which release to download — pin a tag (e.g. v0.2.3); latest floats and applies new rules the moment they ship |
working-directory | . | directory to run the scan from |
paths | . | paths to scan (space-separated) |
format | text | --format for the job-log output (text, json, or sarif) |
sarif | true | On by default. Writes SARIF and uploads it to code scanning (annotations on the PR diff and in the Security tab), then gates on findings — you get annotations and the gate. Grant security-events: write for the upload; without it the upload is skipped but the scan still gates. Set "false" to disable. See SARIF / inline PR annotations. |
only | — | --only (comma-separated rule ids) |
skip | — | --skip (comma-separated rule ids) |
max-lines | 1500 | --max-lines (0 disables file-size) |
prose-window | 400 | --prose-window |
dup-min-tokens | 50 | --dup-min-tokens |
no-ignore | false | --no-ignore when true |
no-fail | false | --no-fail when true |
Notes
- The Action is a composite action — it fetches a single static binary, so there's no toolchain or Node to set up.
- Pin
versionto a release tag for reproducible CI rather than trackinglatest. - Set
no-fail: "true"to report findings without failing the build while you adopt Straitjacket.