What started as a consistency check for immutable SHA pinning and version comment consistency grew into a larger project with token sandboxing and a suite of runtime checks. I drew some inspiration from zizmor, which focuses more on static analysis. Fundamentally, hasp does two things:
1. Scan: a paranoid audit of .github/workflows/ which verifies every `uses`: is pinned to an immutable SHA that actually exists, checks commit provenance, maps which secrets reach which actions, flags injection patterns and excessive permissions.
2. Exec: wraps any subprocess in Landlock (filesystem) + seccomp (syscalls) + BPF cgroup (network egress). Rather than injecting secrets into the env, they're served from a localhost proxy with a per-secret allowlist of destination domains. A compromised npm postinstall can't exfiltrate GITHUB_TOKEN to evil.com because the BPF program drops it.
Written in Rust, single musl binary, MIT License, and shipping now as-is in alpha. Run the binary in GHA or use the forthcoming GHA itself. See docs/TRUST.md to understand the bootstrap-able trust model.