ci-doctor alternatives: the honest comparison
If you're picking a GitHub Actions auditor, you have five real options: actionlint, zizmor, octoscan, super-linter, and ci-doctor. They cover different problem spaces and partially overlap. Here is the honest, side-by-side comparison so you can pick the smallest combo that covers your real risks.
last updated 2026-04-28 · scope GitHub Actions only · format head-to-head feature matrix
TL;DR - the smallest combo that covers everything
If you only have time for one PR, run actionlint + ci-doctor:
# in your workflow
- uses: rhysd/actionlint@v1
- uses: depmedicdev-byte/ci-doctor-action@v1
with:
severity-threshold: warn
comment-on-pr: true
upload-sarif: true
That covers schema correctness (actionlint) + cost waste, security gaps beyond schema, and reliability (ci-doctor). If you handle secrets or forked PRs, add zizmor or octoscan as a third pass for deep workflow security.
The 5 tools at a glance
| Tool | Primary focus | Cost rules | Security rules | Reliability | SARIF | Setup |
|---|---|---|---|---|---|---|
| actionlint | YAML schema + shellcheck | no | partial | no | via wrapper | 1 step |
| zizmor | Workflow security | no | deep | no | yes | 1 step |
| octoscan | Workflow security (red-team) | no | deep | no | yes | 1 step |
| super-linter | Multi-language linter aggregator | no | depends on bundled linters | no | per-linter | 1 step (heavy) |
| ci-doctor | Cost + security + reliability | yes | yes | yes | yes | 1 step (Action) |
Detailed breakdown
actionlint
What it does: Validates the workflow YAML schema,
catches expression syntax errors, runs shellcheck on inline
run: blocks, validates referenced action inputs.
Where it shines: Catches typos and broken references that would cause your workflow to fail at runtime. Fast, zero-config, extremely well-maintained.
Where it misses: Will not flag a workflow that
runs on every branch, has no timeout-minutes, uses
GITHUB_TOKEN: write-all, or burns 8 cores when 2 would
do. Schema-correct can still be expensive and insecure.
Verdict: Required. Run this. It is not a substitute for ci-doctor; it complements it. Full comparison →
zizmor
What it does: Deep workflow security analysis.
Catches dangerous triggers (pull_request_target with
forked checkout), template injection, persisted credentials,
artifact poisoning, and many more workflow-specific attack
patterns.
Where it shines: The single best tool for catching the workflow-security stuff that has caused the famous GitHub Actions supply-chain incidents. Excellent ruleset.
Where it misses: Not a cost tool. Won't tell
you that ubuntu-latest when ubuntu-22.04
would be deterministic, or that your matrix is exploding.
Verdict: Strongly recommended if you accept PRs from forks or handle secrets in CI. Pair with ci-doctor. Full comparison →
octoscan
What it does: Static analysis from a red-team perspective. Hunts the same class of bugs as zizmor but with a different ruleset and different false-positive profile.
Where it shines: Finds attack chains in multi-step workflows. Excellent for security audits of large monorepos.
Where it misses: Same blind spots as zizmor on cost / reliability. Slower than ci-doctor / actionlint on small repos.
Verdict: Add it if you already have a security team running it; otherwise zizmor + ci-doctor cover most teams. Full comparison →
super-linter
What it does: Aggregates ~50 linters into a single Docker image. Runs them all on every push.
Where it shines: If you have a polyglot monorepo and want one Action to lint Python + JS + YAML + Markdown + 10 more languages.
Where it misses: Not designed to audit the workflow itself. Slow (Docker pull + 50 linters). Hard to scope down.
Verdict: Pick this for source-code linting diversity, not for workflow auditing. ci-doctor is the missing workflow-audit half. Full comparison →
ci-doctor
What it does: Audits GitHub Actions workflows
for cost waste (oversized runners, exploding matrix,
missing concurrency, unused caches), security gaps
(unpinned actions, write-all GITHUB_TOKEN, secrets
in env), and reliability (no timeout-minutes, missing
concurrency:, hang-prone steps).
Where it shines: The only tool that combines
all three. Single npx invocation, <1s on most
repos, ships a companion Action with sticky PR comment + SARIF
upload, plus sister CLIs for GitLab CI, Bitbucket Pipelines,
Azure Pipelines, CircleCI.
Where it misses: Not a YAML schema validator; use actionlint alongside. Doesn't go as deep as zizmor on a few exotic security patterns; pair with zizmor for paranoid environments.
Verdict: The "cost + reliability" half of any serious CI audit story. Free, MIT, no telemetry.
What about the cost side?
The other four tools are security/correctness tools. They do not flag waste. ci-doctor was built specifically because no one in the existing tooling answered "is my CI burning money?"
Cost rules ci-doctor checks that nothing else does:
- Matrix explosion (catches
os x version x nodegrids that compile to 27 jobs) - Missing
concurrency:(lets every push to a PR start a fresh run, leaving N stale ones in the queue) - Missing
timeout-minutes(a hung job runs for the 6-hour default ceiling and bills every minute) - Oversized runners (
ubuntu-22.04-arm64-32corewhenubuntu-latestwould do) - Unused caches (
actions/cachedeclared but the path is wrong, so every run is a cold build) - Wide path triggers (
**/*on a docs change re-runs the full test suite)
These are the rules that pay back in dollars per month, not just "passes lint."
Beyond GitHub Actions
If your team uses multiple CI providers, ci-doctor has sister CLIs for each. Same rule philosophy, same output format:
- gitlab-ci-doctor -
.gitlab-ci.yml(14 rules) - bitbucket-ci-doctor -
bitbucket-pipelines.yml(8 rules) - azure-pipelines-ci-doctor -
azure-pipelines.yml(8 rules) - circleci-ci-doctor -
.circleci/config.yml(8 rules)
None of the other tools in this comparison cover non-GitHub CI providers.
Pricing
| Tool | License | Self-host | Hosted SaaS? |
|---|---|---|---|
| actionlint | MIT | yes | no |
| zizmor | MIT | yes | no |
| octoscan | MIT | yes | no |
| super-linter | MIT | yes | no |
| ci-doctor | MIT | yes | via GitHub App + Pro tier |
Every tool here is free and open-source. ci-doctor optionally has a Pro tier ($5/mo) that adds: per-org rule customization, Slack/Webhook delivery of weekly digests, priority support, and the GitHub App turnkey install.
Try ci-doctor on your repo right now
The in-browser scanner takes a paste, runs all 16 rules, and shows the report inline. Nothing leaves your browser.
Open the scanner View source Pro tier ($5/mo)FAQ
Do I need ci-doctor if I already use actionlint?
Yes. actionlint validates your workflow YAML schema; ci-doctor audits its cost, security, and reliability. They don't overlap meaningfully.
Do I need ci-doctor if I already use zizmor?
Yes if you care about cost or reliability. zizmor catches workflow-security flaws (and is excellent at it). ci-doctor catches cost waste, missing timeouts, exploding matrices, etc. Run both; they share zero rules.
Why a separate Action when ci-doctor is just a CLI?
The Action wraps npx ci-doctor with a sticky PR comment
(so a re-run replaces the old comment instead of stacking),
optional SARIF upload to GitHub Code Scanning, and a configurable
severity gate that fails the check on errors but not warnings.
What does the Pro tier add?
Per-org rule overrides (mute a noisy rule across all repos), Slack/Webhook delivery of the weekly leaderboard digest, the hosted GitHub App with one-click install, and priority response on issues. The free CLI never expires and is feature-complete on its own.
Is the data sent anywhere?
No. Both the CLI and the in-browser scanner run locally. The optional GitHub App processes your workflows in a Cloudflare Worker that never persists workflow content; only aggregate counts are kept for the leaderboard.