diff --git a/.github/workflows/action_scanning.yml b/.github/workflows/action_scanning.yml
index 72207f7..09ef45b 100644
--- a/.github/workflows/action_scanning.yml
+++ b/.github/workflows/action_scanning.yml
@@ -1,29 +1,22 @@
 ### Required actions to scan GitHub action workflows for security issues.
 name: 'Scan GitHub Action workflows files for security issues'
-
 on:
   pull_request: {}
-
 permissions:
   contents: 'read'
   security-events: 'write'
   actions: 'read'
-
 jobs:
   semgrep:
     name: 'semgrep-oss/scan'
     runs-on: 'ubuntu-latest'
-
     container:
       image: 'index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89' # ratchet:semgrep/semgrep
-
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
-
     steps:
       - name: 'Checkout Code'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
-
       - name: 'Checkout Workflow Config'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
         env:
@@ -31,16 +24,13 @@ jobs:
         with:
           repository: 'google/github-team'
           path: action_scanning
-
       - name: 'Run Actions semgrep scan'
         run: 'semgrep scan --sarif --config action_scanning/semgrep-rules/actions >> semgrep-results-actions.sarif'
-
       - name: 'Save Actions SARIF results as artifact'
         uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
         with:
           name: 'semgrep-scan-results-actions'
           path: 'semgrep-results-actions.sarif'
-
       - name: 'Upload Actions SARIF result to the GitHub Security Dashboard'
         uses: 'github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841' # ratchet:github/codeql-action/upload-sarif@v3
         with:
diff --git a/.github/workflows/markdown_format.yml b/.github/workflows/markdown_format.yml
index 7ec56eb..afd17b6 100644
--- a/.github/workflows/markdown_format.yml
+++ b/.github/workflows/markdown_format.yml
@@ -1,19 +1,15 @@
 ### Ensure that markdown files are properly formatted
 name: 'Check Markdown Format'
-
 on:
-  pull_request: 
+  pull_request:
     paths:
       - '**.md'
-
 jobs:
   mdformat:
     name: 'mdformat'
     runs-on: 'ubuntu-latest'
-
     steps:
       - name: 'Checkout Code'
         uses: 'actions/checkout@v4'
-
       - name: 'Check Markdown Format'
-        run: 'pipx run mdformat --check --wrap 100 .'
\ No newline at end of file
+        run: 'tools/mdformat --check --wrap 100 .'
diff --git a/.github/workflows/publish_docs.yml b/.github/workflows/publish_docs.yml
index 348ba98..d59a3cb 100644
--- a/.github/workflows/publish_docs.yml
+++ b/.github/workflows/publish_docs.yml
@@ -1,30 +1,27 @@
 name: 'Publish Docs Site'
-
 on:
   push:
     branches:
       - master
   workflow_dispatch:
-
 permissions:
   pages: 'write'
   id-token: 'write'
-
 jobs:
   build:
     name: "Build Docs"
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
-    - name: 'Generate HTML from Markdown'
-      uses: 'ldeluigi/markdown-docs@latest'
-      with:
-        src: 'docs'
-        dst: 'generated-pages'
-    - name: 'Upload artifact'
-      uses: 'actions/upload-pages-artifact@v3'
-      with:
-        path: 'generated-pages'
+      - uses: 'actions/checkout@v4'
+      - name: 'Generate HTML from Markdown'
+        uses: 'ldeluigi/markdown-docs@latest'
+        with:
+          src: 'docs'
+          dst: 'generated-pages'
+      - name: 'Upload artifact'
+        uses: 'actions/upload-pages-artifact@v3'
+        with:
+          path: 'generated-pages'
   deploy:
     name: "Deploy Docs"
     environment:
@@ -35,4 +32,4 @@ jobs:
     steps:
       - name: 'Deploy to GitHub Pages'
         id: 'deployment'
-        uses: 'actions/deploy-pages@v4'
\ No newline at end of file
+        uses: 'actions/deploy-pages@v4'
diff --git a/.github/workflows/publish_docs_preview.yml b/.github/workflows/publish_docs_preview.yml
index b1e1d4d..13d6e3a 100644
--- a/.github/workflows/publish_docs_preview.yml
+++ b/.github/workflows/publish_docs_preview.yml
@@ -1,5 +1,4 @@
 name: 'Publish Preview of Docs Site'
-
 on:
   pull_request:
     types:
@@ -7,23 +6,21 @@ on:
       - reopened
       - synchronize
       - closed
-
 permissions:
   contents: 'write'
   pull-requests: 'write'
-
 jobs:
   build:
     name: "Build PR Preview Docs"
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
-    - name: 'Generate HTML from Markdown'
-      uses: 'ldeluigi/markdown-docs@latest'
-      with:
-        src: 'docs'
-        dst: 'generated-pages'
-    - name: 'Deploy GitHub Pages Preview'
-      uses: rossjrw/pr-preview-action@v1
-      with:
-        source-dir: './generated-pages/'
\ No newline at end of file
+      - uses: 'actions/checkout@v4'
+      - name: 'Generate HTML from Markdown'
+        uses: 'ldeluigi/markdown-docs@latest'
+        with:
+          src: 'docs'
+          dst: 'generated-pages'
+      - name: 'Deploy GitHub Pages Preview'
+        uses: rossjrw/pr-preview-action@v1
+        with:
+          source-dir: './generated-pages/'
diff --git a/.github/workflows/publish_docs_preview_branch.yml b/.github/workflows/publish_docs_preview_branch.yml
index 32e5032..dd62013 100644
--- a/.github/workflows/publish_docs_preview_branch.yml
+++ b/.github/workflows/publish_docs_preview_branch.yml
@@ -1,30 +1,25 @@
 name: 'Publish Preview of Docs Site from branch'
-
-# The publish_docs_preview.yml workflow takes a PR and publishes the results to it's own branch 
+# The publish_docs_preview.yml workflow takes a PR and publishes the results to it's own branch
 # so users can preview it.  But that git branch then needs some way to publish, so this action does that.
-
-on: 
+on:
   push:
     branch:
-        - gh-pages
-
+      - gh-pages
 permissions:
   pages: 'write'
   id-token: 'write'
-
-
 jobs:
   stage:
     name: "Stage PR preview from branch to pages"
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
-      with:
-        ref: 'refs/heads/gh-pages'
-    - name: 'Upload artifact'
-      uses: 'actions/upload-pages-artifact@v3'
-      with:
-        path: '.'
+      - uses: 'actions/checkout@v4'
+        with:
+          ref: 'refs/heads/gh-pages'
+      - name: 'Upload artifact'
+        uses: 'actions/upload-pages-artifact@v3'
+        with:
+          path: '.'
   deploy:
     name: "Deploy PR Preview from branch to pages"
     needs: 'stage'
diff --git a/.github/workflows/semgrep_testing.yml b/.github/workflows/semgrep_testing.yml
index 7c69a9c..73abc01 100644
--- a/.github/workflows/semgrep_testing.yml
+++ b/.github/workflows/semgrep_testing.yml
@@ -1,27 +1,20 @@
 ### Ensure that our local testing always passes
 name: 'Run semgrep tests'
-
 on:
   pull_request: {}
-
 permissions:
   contents: 'read'
   actions: 'read'
-
 jobs:
   semgrep-tests:
     name: 'Run semgrep tests'
     runs-on: 'ubuntu-latest'
-
     container:
       image: index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89 # ratchet:semgrep/semgrep
-
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
-
     steps:
       - name: 'Checkout Code'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
-
       - name: 'Run Actions semgrep scan'
         run: 'semgrep --test --config semgrep-rules semgrep-tests'
diff --git a/.github/workflows/yaml_format.yml b/.github/workflows/yaml_format.yml
new file mode 100644
index 0000000..efc5017
--- /dev/null
+++ b/.github/workflows/yaml_format.yml
@@ -0,0 +1,16 @@
+### Ensure that Yaml files are properly formatted
+name: 'Check Yaml Format'
+on:
+  pull_request:
+    paths:
+      - '**.yml'
+      - '**.yaml'
+jobs:
+  yamlfmt:
+    name: 'yamlfmt'
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Checkout Code'
+        uses: 'actions/checkout@v4'
+      - name: 'Check Yaml Format'
+        run: 'tools/yamlfmt --lint .'
diff --git a/.yamlfmt b/.yamlfmt
new file mode 100644
index 0000000..0a3382f
--- /dev/null
+++ b/.yamlfmt
@@ -0,0 +1,3 @@
+formatter:
+  max_line_length: 100
+  trim_trailing_whitespace: true
diff --git a/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml b/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml
index 26411be..551312c 100644
--- a/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml
+++ b/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml
@@ -1,3 +1,3 @@
 on:
   # ruleid: pull-request-target-needs-exception
-  pull_request_target:
\ No newline at end of file
+  pull_request_target:
diff --git a/tools/mdformat b/tools/mdformat
new file mode 100755
index 0000000..a9ecfed
--- /dev/null
+++ b/tools/mdformat
@@ -0,0 +1,2 @@
+#!/bin/sh
+pipx run mdformat $*
\ No newline at end of file
diff --git a/tools/yamlfmt b/tools/yamlfmt
new file mode 100755
index 0000000..b8c55e6
--- /dev/null
+++ b/tools/yamlfmt
@@ -0,0 +1,2 @@
+#!/bin/sh
+docker run -v "$(pwd):/project" ghcr.io/google/yamlfmt:latest $*
\ No newline at end of file