--path | -p | . | Path to the local repository or directory to scan. |
--file | -f | unset | Scan a single specific workflow file. Overrides --path. |
--git | -g | unset | GitHub repository to scan. Accepts owner/repo or a full URL. Triggers a git clone --depth 1 into a temp directory. |
--output | -o | console | Output format. One of console or json. |
--fail-on | -s | MEDIUM | Severity threshold for exit code 1. One of HIGH, MEDIUM, LOW, INFO, or NONE. See exit codes. |
--ruleset | -r | all | Which rules to apply. all includes best-practice checks; owasp keeps only CICD-SEC-*. |
--keep-temp | | false | When using -g, keep the temporary clone directory after the scan. Useful for inspecting what was scanned. |
--fix | | false | Attempt to automatically fix detected issues in place. See Auto-fix. Not supported with -g. |