← 返回 Skills 市场

GitHub Actions Workflow Hardening Audit

Name: GitHub Actions Workflow Hardening Audit
Author: daniellummis

作者 Daniel Lummis · GitHub ↗ · v1.1.0

cross-platform ✓ 安全检测通过

326

总下载

当前安装

版本数

在 OpenClaw 中安装

/install github-actions-workflow-hardening-audit

功能描述

Audit GitHub Actions workflow files for hardening gaps (missing timeouts/permissions/concurrency and floating action refs).

使用说明 (SKILL.md)

GitHub Actions Workflow Hardening Audit

Use this skill to statically audit .github/workflows/*.yml files before risky defaults leak into production CI.

What this skill does

Scans workflow YAML files and scores hardening risk per file
Flags jobs missing timeout-minutes
Flags missing permissions declarations (workflow-level or job-level)
Optionally flags missing concurrency controls
Flags floating uses: refs (@main, @master, @latest, major-only tags like @v4)
Supports file/event regex filtering for targeted triage in large monorepos
Raises severity (ok / warn / critical) and can fail CI gates

Inputs

Optional:

WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
WARN_SCORE (default: 3)
CRITICAL_SCORE (default: 7)
REQUIRE_TIMEOUT (0/1, default: 1)
REQUIRE_PERMISSIONS (0/1, default: 1)
REQUIRE_CONCURRENCY (0/1, default: 0)
FLAG_FLOATING_REFS (0/1, default: 1)
ALLOW_REF_REGEX (regex whitelist for approved refs, optional)
WORKFLOW_FILE_MATCH (regex include filter on file path, optional)
WORKFLOW_FILE_EXCLUDE (regex exclude filter on file path, optional)
EVENT_MATCH (regex include filter on parsed on: triggers, optional)
EVENT_EXCLUDE (regex exclude filter on parsed on: triggers, optional)
FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
REQUIRE_CONCURRENCY=1 \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

Filter to only PR-target workflows:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
EVENT_MATCH='pull_request_target' \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-workflow-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

Output contract

Exit 0 in report mode (default)
Exit 1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical
Text mode prints summary + ranked workflow risks
JSON mode prints summary + ranked workflows + critical workflows

安全使用建议

This skill appears to do exactly what it says: statically scan .github/workflows files and report hardening gaps. Before running: (1) review the included script yourself (it's plain Python/Bash) to ensure its behavior is acceptable; (2) run it on a copy or limited glob if you are concerned about scanning many files; (3) be aware its YAML parsing is line-oriented/regex-based (not a full YAML parser) so verify any critical findings manually; (4) the tool prints file paths and action refs — avoid running it in contexts where printing those to logs would leak sensitive repository details.

功能分析

Type: OpenClaw Skill Name: github-actions-workflow-hardening-audit Version: 1.1.0 The skill is a static analysis tool designed to audit GitHub Actions workflow files for security hardening gaps, such as missing timeouts, permissions, or pinned action versions. The implementation consists of a Bash wrapper and an embedded Python script (scripts/workflow-hardening-audit.sh) that uses standard libraries to parse YAML files via regex and generate risk reports without any evidence of data exfiltration, remote execution, or malicious intent.

能力评估

✓ Purpose & Capability

Name/description match the actual behavior. Required binaries (bash, python3) are reasonable for a script that shells out to run an embedded Python program. There are no unrelated environment variables, credentials, or config paths requested.

ℹ Instruction Scope

Runtime instructions and the included script are limited to reading workflow YAML files (glob, include/exclude filters, event filters) and producing a text/JSON report. It does not call external network endpoints or request secrets. Caution: the script parses YAML via regex/line scanning (not a YAML parser), so it can produce false positives/negatives and may mis-handle complex workflow files. The script prints file paths, scores, events, and 'uses' refs — review output if you consider file paths or refs sensitive.

✓ Install Mechanism

Instruction-only skill with no install spec. The only code is the provided script; nothing is downloaded or written to disk beyond running the included script.

✓ Credentials

No credentials or privileged environment variables are required. Optional environment variables control filters and thresholds; these are proportional to the audit task. The script may output workflow file paths and referenced action refs, which you should treat as potentially sensitive information if your repo contains secret-related configuration.

✓ Persistence & Privilege

Skill does not request persistent presence (always=false) and does not modify agent or system configuration. It runs as an on-demand script and does not attempt to store tokens or alter other skills.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install github-actions-workflow-hardening-audit
安装完成后，直接呼叫该 Skill 的名称或使用 /github-actions-workflow-hardening-audit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

Add file/event regex filters for targeted workflow triage in large repos

v1.0.0

Initial release: static hardening audit for workflow timeout/permissions/concurrency coverage and floating action refs with CI fail gate.

元数据

Slug github-actions-workflow-hardening-audit

版本 1.1.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 2

常见问题