Audit GitHub Actions security posture of your Python dependency tree using zizmor
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
insecure-tree
Audit the GitHub Actions security posture of your entire Python dependency tree.
insecure-tree discovers your transitive dependencies, resolves their PyPI metadata, identifies claimed GitHub repositories, downloads workflow files, and runs zizmor against each one — then produces a unified text, HTML, and JSON report showing every finding and which package it came from.
Installation
# Install zizmor first (required)
pip install zizmor
# Install insecure-tree
pipx install insecure_tree
Or with pip:
pip install insecure_tree
Quick start
# Scan a uv project
insecure-tree scan --source uv --project .
# Scan the active virtualenv
insecure-tree scan --source pip-inspect
# Auto-detect the best source
insecure-tree scan
Reports land in ./insecure-tree-report/ as insecure-tree.txt, insecure-tree.html, and insecure-tree.json.
CI usage
insecure-tree scan \
--source auto \
--format text \
--format html \
--fail-on error \
--output-dir artifacts/insecure-tree
Exit codes: 0 clean, 1 findings above threshold, 2 config error, 3 infrastructure error, 4 partial scan failure.
All commands
| Command | Description |
|---|---|
insecure-tree scan |
Run the full audit pipeline |
insecure-tree graph |
Emit the dependency graph as JSON or text |
insecure-tree metadata PACKAGE |
Inspect PyPI metadata and GitHub candidates for one package |
insecure-tree report --input FILE |
Re-render a report from a saved JSON file |
insecure-tree cache dir |
Print the cache directory path |
insecure-tree cache clean |
Remove expired cache entries |
Configuration
Configuration is read from pyproject.toml under [tool.insecure-tree] or from insecure-tree.toml:
[tool.insecure-tree]
source = "auto"
fail_on = "never"
report_min_severity = "note"
[tool.insecure-tree.github]
token_env = "GITHUB_TOKEN"
[tool.insecure-tree.repo_overrides]
"Pillow" = "https://github.com/python-pillow/Pillow"
[[tool.insecure-tree.ignore]]
package = "some-package"
rule = "excessive-permissions"
reason = "Accepted risk — only runs on release branches."
expires = "2026-12-01"
Documentation
Full documentation is at insecure-tree.readthedocs.io.
Contributing
See CONTRIBUTING.md.
License
MIT — see LICENSE.
Changelog
See CHANGELOG.md.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file insecure_tree-0.1.0.tar.gz.
File metadata
- Download URL: insecure_tree-0.1.0.tar.gz
- Upload date:
- Size: 35.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e74c0d8accdd910eda737be5565bc732975a5d040f803a0f1ee5e15afda7535f
|
|
| MD5 |
dfc8e8b87263ee86cd96dc00113418cd
|
|
| BLAKE2b-256 |
2757b35025f0eeec67ab6844574c1316b8c2005229867ec955a46eb4d886c43a
|
Provenance
The following attestation bundles were made for insecure_tree-0.1.0.tar.gz:
Publisher:
publish_to_pypi.yml on matthewdeanmartin/insecure_tree
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
insecure_tree-0.1.0.tar.gz -
Subject digest:
e74c0d8accdd910eda737be5565bc732975a5d040f803a0f1ee5e15afda7535f - Sigstore transparency entry: 1435889843
- Sigstore integration time:
-
Permalink:
matthewdeanmartin/insecure_tree@4465a790edcc7b5e997b8bb9228e806aacde5dad -
Branch / Tag:
refs/heads/main - Owner: https://github.com/matthewdeanmartin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish_to_pypi.yml@4465a790edcc7b5e997b8bb9228e806aacde5dad -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file insecure_tree-0.1.0-py3-none-any.whl.
File metadata
- Download URL: insecure_tree-0.1.0-py3-none-any.whl
- Upload date:
- Size: 43.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c8cc4667bc0324fc9a6a011717c99a4030bb9e64fae4bda0b30c16d8ed49f3b1
|
|
| MD5 |
e201dc41d31c1d2470bf7e2c5563fe13
|
|
| BLAKE2b-256 |
2e70d489cad0df864704c6c1181d0299d723364d27901bb7b78d6f1efa0371b7
|
Provenance
The following attestation bundles were made for insecure_tree-0.1.0-py3-none-any.whl:
Publisher:
publish_to_pypi.yml on matthewdeanmartin/insecure_tree
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
insecure_tree-0.1.0-py3-none-any.whl -
Subject digest:
c8cc4667bc0324fc9a6a011717c99a4030bb9e64fae4bda0b30c16d8ed49f3b1 - Sigstore transparency entry: 1435889848
- Sigstore integration time:
-
Permalink:
matthewdeanmartin/insecure_tree@4465a790edcc7b5e997b8bb9228e806aacde5dad -
Branch / Tag:
refs/heads/main - Owner: https://github.com/matthewdeanmartin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish_to_pypi.yml@4465a790edcc7b5e997b8bb9228e806aacde5dad -
Trigger Event:
workflow_dispatch
-
Statement type:
