← 返回 Skills 市场

GitHub Actions OIDC Hardening Audit

Name: GitHub Actions OIDC Hardening Audit
Author: daniellummis

作者 Daniel Lummis · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

274

总下载

当前安装

版本数

在 OpenClaw 中安装

/install github-actions-oidc-hardening-audit

功能描述

Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs.

使用说明 (SKILL.md)

GitHub Actions OIDC Hardening Audit

Use this skill to catch risky cloud-auth patterns in workflow YAML before they become identity or secret exposure incidents.

What this skill does

Scans workflow YAML files (.github/workflows/*.yml by default)
Detects AWS/GCP/Azure auth action usage:
- aws-actions/configure-aws-credentials
- google-github-actions/auth
- azure/login
Flags workflows that use cloud auth actions but miss permissions.id-token: write
Flags AWS auth usage without role-to-assume
Flags likely static cloud credential usage (aws-access-key-id, aws-secret-access-key, cloud credential secrets)
Flags floating auth action refs (@main, @master, @v1) unless allow-listed
Supports text/json output and CI fail gate

Inputs

Optional:

WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
WARN_SCORE (default: 3)
CRITICAL_SCORE (default: 7)
WORKFLOW_FILE_MATCH / WORKFLOW_FILE_EXCLUDE (regex, optional)
ALLOW_REF_REGEX (regex, optional) — allow-listed action refs
FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.yml' \
WARN_SCORE=3 \
CRITICAL_SCORE=7 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-oidc-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Output contract

Exit 0 in reporting mode (default)
Exit 1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical
Text mode prints summary + top risky workflows
JSON mode prints summary + flagged workflows + critical workflows

安全使用建议

This skill appears coherent for a local static audit of GitHub Actions workflows. Before installing/running: (1) review the included script (scripts/oidc-hardening-audit.sh) if you want to confirm behavior; (2) be deliberate about WORKFLOW_GLOB / WORKFLOW_FILE_MATCH values — the script will read any files those patterns match; (3) running with FAIL_ON_CRITICAL=1 will exit non-zero (useful in CI but will fail pipelines if findings meet the threshold); (4) the tool detects references to secrets but does not read secret values or contact external endpoints. If you plan to run it in a shared environment, consider running it on a checked-out copy of the repo or restricting the glob to avoid scanning unrelated sensitive paths.

功能分析

Type: OpenClaw Skill Name: github-actions-oidc-hardening-audit Version: 1.0.0 The skill is a security auditing tool designed to identify OIDC hardening gaps in GitHub Actions workflows. It uses a Python script within a bash wrapper (scripts/oidc-hardening-audit.sh) to scan YAML files for risky patterns such as static credentials, missing OIDC permissions, and unpinned action references. The logic is self-contained, uses only standard libraries, and lacks any indicators of data exfiltration, malicious execution, or prompt injection.

能力评估

✓ Purpose & Capability

The name/description match the included script and fixtures. Required binaries (bash, python3) are appropriate for running the provided shell+Python scanner. No unrelated credentials, config paths, or network installs are requested.

ℹ Instruction Scope

SKILL.md and the script limit actions to scanning workflow YAML files and printing a report. The tool reads files matched by WORKFLOW_GLOB (default .github/workflows/*.y*ml) and supports arbitrary globs/regex, so a user-provided pattern could cause it to read other files on disk — this is expected for a scanner but worth noting.

✓ Install Mechanism

Instruction-only skill with bundled script; there is no network download or package install. Nothing is written to disk beyond running the existing script, so install risk is low.

✓ Credentials

No environment variables or secrets are required. The script inspects workflow files for secret references but does not access or require those secrets, nor does it send data externally.

✓ Persistence & Privilege

always is false and the skill does not request persistent/system-wide privileges or modify other skills. It runs locally and does not automatically persist configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install github-actions-oidc-hardening-audit
安装完成后，直接呼叫该 Skill 的名称或使用 /github-actions-oidc-hardening-audit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release — GitHub Actions OIDC Hardening Audit skill: - Audits GitHub Actions workflows for OIDC authentication misconfigurations and risky patterns. - Flags missing `id-token: write` permissions, static cloud credential usage, weak action refs, and improper AWS role configuration. - Supports both text and JSON output, top-N reporting, and CI fail-gate. - Highly configurable via input environment variables and regex allow-lists. - Designed for security teams and DevOps to preemptively catch identity and secret exposure risks.

元数据

Slug github-actions-oidc-hardening-audit

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题