depmedic / compare / ci-doctor vs octoscan

ci-doctor vs octoscan

octoscan is a security-focused workflow analyzer from Synacktiv. ci-doctor is a cost-and-reliability-focused audit that includes a few security rules. Closest scope of any competitor on this list - they overlap on a few rules and complement each other on the rest.

tl;dr   If you have user-content workflows (PRs from forks, repos with arbitrary issue content), run both. ci-doctor for cost and reliability, octoscan for the security depth. They take seconds each.

Where octoscan wins

  • Deep security focus: untrusted input flow analysis, pull_request_target abuse patterns, injection sinks, secrets in step outputs.
  • Catches script injection in ${{ github.event.* }} contexts that ci-doctor does not parse.
  • Maintained by a security firm; rule design comes from real assessments.

Where ci-doctor wins

  • Cost rules: missing-concurrency, missing-timeout, missing-cache, stale-cache-key, matrix-overcommit, fail-fast-true, expensive-runner, always-run-on-pr, artifact-no-retention, fetch-depth-zero, wide-trigger. octoscan does not address cost.
  • Auto-fix mode for safe rules.
  • Pure JavaScript - zero install with npx ci-doctor; no Go toolchain.
  • Companion gha-budget CLI for $ numbers per workflow.

Where they overlap

Both flag missing permissions: blocks and unpinned third-party actions. octoscan does it from a "what attack does this enable" angle; ci-doctor does it from a "what is the safe default" angle.

Run them side by side

This is the answer for most teams. Both finish in seconds:

# security depth
octoscan all .github/workflows
# cost + reliability
npx ci-doctor

Try ci-doctor in 6 ms

Zero install, zero config:

# 14-rule audit of every workflow under .github/workflows/
npx ci-doctor

# auto-apply the four safe fixes
npx ci-doctor --fix

# SARIF for GitHub Code Scanning
npx ci-doctor --sarif > results.sarif
View on npm   All 14 rules explained

Want the long-form patterns?

The Cut Your CI Bill cookbook is 30 paste-ready GitHub Actions patterns plus 5 hardened workflow templates - the why behind every default ci-doctor enforces. $19, one-time, MIT-licensed templates.

Get the cookbook   5 free preview patterns

About this comparison

Written 2026-04-27 by the maintainer of ci-doctor. octoscan on GitHub for upstream documentation. If anything here is incorrect or outdated, open an issue at depmedicdev-byte/ci-doctor/issues and I will fix it. We do not pay for placement and we do not accept paid placement.

Other comparisons: vs actionlint · vs super-linter · vs MegaLinter