This repo provides a GitHub Action for validating a repository's security-insights.yml file against the official OSSF Security Insights CUE schema. The schema version is extracted from the file itself, so the correct spec version is always used automatically.
- Validates
security-insights.ymlagainst the official OSSF CUE schema - Automatically detects the schema version declared in the file
- Fails loudly on schema mismatches, missing fields, or invalid versions
- No configuration required for the default file location
name: Validate Security Insights
on:
pull_request:
paths:
- ".github/security-insights.yml"
permissions:
contents: read
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- name: Validate Security Insights
uses: revanite-io/security-insights-action@v1.0.0 - name: Validate Security Insights
uses: revanite-io/security-insights-action@v1.0.0
with:
file: path/to/security-insights.yml| Input | Description | Required | Default |
|---|---|---|---|
file |
Path to the security-insights.yml file |
No | .github/security-insights.yml |
- The runner must have
yqavailable (pre-installed onubuntu-latest) - The
schema-versiondeclared in yoursecurity-insights.ymlmust correspond to a valid tag in the ossf/security-insights repository (e.g.,2.2.0resolves to tagv2.2.0)
- Sets up CUE on the runner
- Reads the
schema-versionfrom the header of yoursecurity-insights.yml - Downloads the matching CUE schema from
ossf/security-insightsat that version tag - Runs
cue vetto validate the file against the schema
Contributions are welcome! Please open an issue or pull request.
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
- OSSF Security Insights Spec - The Security Insights specification and schema
- OSSF SI Tooling - Tooling for working with Security Insights files