GitHub Actions OIDC Hardening Audit
Use this skill to catch risky cloud-auth patterns in workflow YAML before they become identity or secret exposure incidents.
What this skill does
- - Scans workflow YAML files (
.github/workflows/*.yml by default) - Detects AWS/GCP/Azure auth action usage:
-
aws-actions/configure-aws-credentials
-
google-github-actions/auth
-
azure/login
- - Flags workflows that use cloud auth actions but miss �INLINECODE4
- Flags AWS auth usage without �INLINECODE5
- Flags likely static cloud credential usage (
aws-access-key-id, aws-secret-access-key, cloud credential secrets) - Flags floating auth action refs (
@main, @master, @v1) unless allow-listed - Supports text/json output and CI fail gate
Inputs
Optional:
- -
WORKFLOW_GLOB (default: .github/workflows/*.y*ml) - INLINECODE13� (default:
20) - INLINECODE15� (
text or json, default: text) - INLINECODE19� (default:
3) - INLINECODE21� (default:
7) - INLINECODE23� /
WORKFLOW_FILE_EXCLUDE (regex, optional) - INLINECODE25� (regex, optional) — allow-listed action refs
- INLINECODE26� (
0 or 1, default: 0)
Run
Text report:
CODEBLOCK0
JSON output + fail gate:
CODEBLOCK1
Run against bundled fixtures:
CODEBLOCK2
Output contract
- - Exit
0 in reporting mode (default) - Exit
1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical - Text mode prints summary + top risky workflows
- JSON mode prints summary + flagged workflows + critical workflows
GitHub Actions OIDC 加固审计
使用此技能可在工作流 YAML 中的风险云认证模式演变为身份或密钥泄露事件之前将其捕获。
此技能的功能
- - 扫描工作流 YAML 文件(默认路径 .github/workflows/*.yml)
- 检测 AWS/GCP/Azure 认证操作的使用情况:
- aws-actions/configure-aws-credentials
- google-github-actions/auth
- azure/login
- - 标记使用了云认证操作但缺少 permissions.id-token: write 的工作流
- 标记未指定 role-to-assume 的 AWS 认证使用
- 标记可能存在的静态云凭证使用(aws-access-key-id、aws-secret-access-key、云凭证密钥)
- 标记未加入允许列表的浮动认证操作引用(@main、@master、@v1)
- 支持文本/JSON 输出及 CI 失败门控
输入参数
可选参数:
- - WORKFLOWGLOB(默认值:.github/workflows/.yml)
- TOPN(默认值:20)
- OUTPUTFORMAT(text 或 json,默认值:text)
- WARNSCORE(默认值:3)
- CRITICALSCORE(默认值:7)
- WORKFLOWFILEMATCH / WORKFLOWFILEEXCLUDE(正则表达式,可选)
- ALLOWREFREGEX(正则表达式,可选)— 允许列表中的操作引用
- FAILON_CRITICAL(0 或 1,默认值:0)
运行
文本报告:
bash
WORKFLOW_GLOB=.github/workflows/*.yml \
WARN_SCORE=3 \
CRITICAL_SCORE=7 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh
JSON 输出 + 失败门控:
bash
WORKFLOW_GLOB=.github/workflows/.yml \
OUTPUT_FORMAT=json \
FAILONCRITICAL=1 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh
针对捆绑测试用例运行:
bash
WORKFLOW_GLOB=skills/github-actions-oidc-hardening-audit/fixtures/.yml \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh
输出约定
- - 报告模式下退出码为 0(默认)
- 当 FAILONCRITICAL=1 且存在一个或多个关键工作流时退出码为 1
- 文本模式打印摘要及风险最高的工作流
- JSON 模式打印摘要、标记的工作流及关键工作流
