DEV Community

depmedicdev-byte
depmedicdev-byte

Posted on • Originally published at depmedicdev-byte.github.io

ci-doctor vs octoscan: when to use which

#githubactions #security #devops #ci

octoscan is a Go-based security scanner from Synacktiv that audits GitHub Actions workflows for supply-chain vulnerabilities. People keep asking how it stacks up against ci-doctor. Honest answer: they're complementary - run both.

tl;dr

  • octoscan: pure security focus. Goes deep on injection, dangerous triggers, runner take-over patterns.
  • ci-doctor: security + cost + reliability. Broader scope, less depth on pure security.

Where octoscan wins

  • Deep injection analysis. Tracks user-controllable context (github.event.*) into shell commands across step boundaries.
  • Dangerous trigger combinations. Sub-rule precise on pull_request_target + checkout patterns.
  • Self-hosted runner take-over patterns. Catches non-ephemeral runner usage that lets a forked PR hijack the runner.
  • Synacktiv pedigree. They're a real offsec firm with public publications.
  • Single Go binary. No runtime dependency.

Where ci-doctor wins

  • Cost rules octoscan does not have. missing-concurrency, missing-cache, expensive-runner, cron-storm, wide-paths, service-no-healthcheck. These hit the bill, not the build log.
  • Reliability rules octoscan does not have. missing-timeout-minutes, flaky-retries, legacy-actions-version.
  • Auto-fix mode. npx ci-doctor --fix rewrites four safe categories in place. octoscan is read-only.
  • Sister CIs. gitlab-ci-doctor, bitbucket-ci-doctor, azure-pipelines-ci-doctor, circleci-ci-doctor. octoscan is GitHub-only.
  • Zero install via npx ci-doctor. No compile, no PATH wiring.
  • Companion ci-doctor-action with sticky PR comment + SARIF.

Run them side by side 

name: ci-audit
on: pull_request
permissions:
  contents: read
  security-events: write
jobs:
  octoscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          curl -fsSL -o octoscan https://github.com/synacktiv/octoscan/releases/latest/download/octoscan_linux_amd64
          chmod +x ./octoscan
          ./octoscan scan . > octoscan.json || true
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: octoscan.sarif
          category: octoscan
  ci-doctor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: depmedicdev-byte/ci-doctor-action@v1
Enter fullscreen mode Exit fullscreen mode

Both reports show under the Security tab in different categories. They don't conflict.

Why I bother writing these

Same reason I wrote the zizmor comparison and the actionlint comparison. Every "X vs Y" comparison written by one of the maintainers is suspicious by default; I'd rather you have the honest version.

Open an issue if anything here is wrong or outdated.

Full version with styled comparison: /compare/ci-doctor-vs-octoscan.html.

Top comments (0)