← Back to Skills Marketplace
GitHub Actions Workflow Hardening Audit
by
Daniel Lummis
· GitHub ↗
· v1.1.0
326
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install github-actions-workflow-hardening-audit
Description
Audit GitHub Actions workflow files for hardening gaps (missing timeouts/permissions/concurrency and floating action refs).
README (SKILL.md)
GitHub Actions Workflow Hardening Audit
Use this skill to statically audit .github/workflows/*.yml files before risky defaults leak into production CI.
What this skill does
- Scans workflow YAML files and scores hardening risk per file
- Flags jobs missing
timeout-minutes - Flags missing
permissionsdeclarations (workflow-level or job-level) - Optionally flags missing
concurrencycontrols - Flags floating
uses:refs (@main,@master,@latest, major-only tags like@v4) - Supports file/event regex filtering for targeted triage in large monorepos
- Raises severity (
ok/warn/critical) and can fail CI gates
Inputs
Optional:
WORKFLOW_GLOB(default:.github/workflows/*.y*ml)TOP_N(default:20)OUTPUT_FORMAT(textorjson, default:text)WARN_SCORE(default:3)CRITICAL_SCORE(default:7)REQUIRE_TIMEOUT(0/1, default:1)REQUIRE_PERMISSIONS(0/1, default:1)REQUIRE_CONCURRENCY(0/1, default:0)FLAG_FLOATING_REFS(0/1, default:1)ALLOW_REF_REGEX(regex whitelist for approved refs, optional)WORKFLOW_FILE_MATCH(regex include filter on file path, optional)WORKFLOW_FILE_EXCLUDE(regex exclude filter on file path, optional)EVENT_MATCH(regex include filter on parsedon:triggers, optional)EVENT_EXCLUDE(regex exclude filter on parsedon:triggers, optional)FAIL_ON_CRITICAL(0or1, default:0)
Run
Text report:
WORKFLOW_GLOB='.github/workflows/*.y*ml' \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
JSON output + fail gate:
WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
REQUIRE_CONCURRENCY=1 \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
Filter to only PR-target workflows:
WORKFLOW_GLOB='.github/workflows/*.y*ml' \
EVENT_MATCH='pull_request_target' \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
Run against bundled fixtures:
WORKFLOW_GLOB='skills/github-actions-workflow-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
Output contract
- Exit
0in report mode (default) - Exit
1whenFAIL_ON_CRITICAL=1and one or more workflows are critical - Text mode prints summary + ranked workflow risks
- JSON mode prints summary + ranked workflows + critical workflows
Usage Guidance
This skill appears to do exactly what it says: statically scan .github/workflows files and report hardening gaps. Before running: (1) review the included script yourself (it's plain Python/Bash) to ensure its behavior is acceptable; (2) run it on a copy or limited glob if you are concerned about scanning many files; (3) be aware its YAML parsing is line-oriented/regex-based (not a full YAML parser) so verify any critical findings manually; (4) the tool prints file paths and action refs — avoid running it in contexts where printing those to logs would leak sensitive repository details.
Capability Analysis
Type: OpenClaw Skill
Name: github-actions-workflow-hardening-audit
Version: 1.1.0
The skill is a static analysis tool designed to audit GitHub Actions workflow files for security hardening gaps, such as missing timeouts, permissions, or pinned action versions. The implementation consists of a Bash wrapper and an embedded Python script (scripts/workflow-hardening-audit.sh) that uses standard libraries to parse YAML files via regex and generate risk reports without any evidence of data exfiltration, remote execution, or malicious intent.
Capability Assessment
Purpose & Capability
Name/description match the actual behavior. Required binaries (bash, python3) are reasonable for a script that shells out to run an embedded Python program. There are no unrelated environment variables, credentials, or config paths requested.
Instruction Scope
Runtime instructions and the included script are limited to reading workflow YAML files (glob, include/exclude filters, event filters) and producing a text/JSON report. It does not call external network endpoints or request secrets. Caution: the script parses YAML via regex/line scanning (not a YAML parser), so it can produce false positives/negatives and may mis-handle complex workflow files. The script prints file paths, scores, events, and 'uses' refs — review output if you consider file paths or refs sensitive.
Install Mechanism
Instruction-only skill with no install spec. The only code is the provided script; nothing is downloaded or written to disk beyond running the included script.
Credentials
No credentials or privileged environment variables are required. Optional environment variables control filters and thresholds; these are proportional to the audit task. The script may output workflow file paths and referenced action refs, which you should treat as potentially sensitive information if your repo contains secret-related configuration.
Persistence & Privilege
Skill does not request persistent presence (always=false) and does not modify agent or system configuration. It runs as an on-demand script and does not attempt to store tokens or alter other skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install github-actions-workflow-hardening-audit - After installation, invoke the skill by name or use
/github-actions-workflow-hardening-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Add file/event regex filters for targeted workflow triage in large repos
v1.0.0
Initial release: static hardening audit for workflow timeout/permissions/concurrency coverage and floating action refs with CI fail gate.
Metadata
Frequently Asked Questions
What is GitHub Actions Workflow Hardening Audit?
Audit GitHub Actions workflow files for hardening gaps (missing timeouts/permissions/concurrency and floating action refs). It is an AI Agent Skill for Claude Code / OpenClaw, with 326 downloads so far.
How do I install GitHub Actions Workflow Hardening Audit?
Run "/install github-actions-workflow-hardening-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is GitHub Actions Workflow Hardening Audit free?
Yes, GitHub Actions Workflow Hardening Audit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does GitHub Actions Workflow Hardening Audit support?
GitHub Actions Workflow Hardening Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created GitHub Actions Workflow Hardening Audit?
It is built and maintained by Daniel Lummis (@daniellummis); the current version is v1.1.0.
More Skills