GitHub Actions Permission Scope Audit
Use this skill to detect over-broad GITHUB_TOKEN permissions and scope drift across GitHub Actions workflows.
What this skill does
- - Reads workflow YAML files
- Detects explicit broad permission grants (
write-all, contents: write, etc.) - Flags risky patterns like
pull_request_target workflows with write permissions - Identifies workflows with no explicit
permissions policy - Emits text or JSON for CI triage and policy gates
Inputs
Optional:
- -
WORKFLOW_GLOB (default: .github/workflows/*.y*ml) - INLINECODE7� (default:
20) - INLINECODE9� (
text or json, default: text) - INLINECODE13� (default:
2) - INLINECODE15� (default:
5) - INLINECODE17� (
0 or 1, default: 1) - INLINECODE21� (
0 or 1, default: 1) - INLINECODE25� (
0 or 1, default: 1) - INLINECODE29� /
WORKFLOW_FILE_EXCLUDE (regex, optional) - INLINECODE31� /
EVENT_EXCLUDE (regex, optional) - INLINECODE33� /
PERMISSION_EXCLUDE (regex, optional) - INLINECODE35� (
0 or 1, default: 0)
Run
Text report:
CODEBLOCK0
JSON output + fail gate:
CODEBLOCK1
Run against bundled fixtures:
CODEBLOCK2
Output contract
- - Exit
0 in report mode (default) - Exit
1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical - Text mode prints summary + ranked workflows
- JSON mode prints summary + ranked workflows + critical workflows
GitHub Actions 权限范围审计
使用此技能检测 GitHub Actions 工作流中过于宽泛的 GITHUB_TOKEN 权限及权限范围漂移。
技能功能
- - 读取工作流 YAML 文件
- 检测显式的宽泛权限授予(write-all、contents: write 等)
- 标记风险模式,例如具有写入权限的 pullrequesttarget 工作流
- 识别未设置显式 permissions 策略的工作流
- 输出文本或 JSON 格式结果,用于 CI 分类和策略门控
输入参数
可选参数:
- - WORKFLOWGLOB(默认值:.github/workflows/.yml)
- TOPN(默认值:20)
- OUTPUTFORMAT(text 或 json,默认值:text)
- WARNSCORE(默认值:2)
- CRITICALSCORE(默认值:5)
- FLAGMISSINGPERMISSIONS(0 或 1,默认值:1)
- FLAGWRITEALL(0 或 1,默认值:1)
- FLAGWRITESCOPES(0 或 1,默认值:1)
- WORKFLOWFILEMATCH / WORKFLOWFILEEXCLUDE(正则表达式,可选)
- EVENTMATCH / EVENTEXCLUDE(正则表达式,可选)
- PERMISSIONMATCH / PERMISSIONEXCLUDE(正则表达式,可选)
- FAILON_CRITICAL(0 或 1,默认值:0)
运行方式
文本报告:
bash
WORKFLOW_GLOB=.github/workflows/*.yml \
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
JSON 输出 + 失败门控:
bash
WORKFLOW_GLOB=.github/workflows/*.yml \
OUTPUT_FORMAT=json \
FAILONCRITICAL=1 \
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
针对内置测试用例运行:
bash
WORKFLOW_GLOB=skills/github-actions-permission-scope-audit/fixtures/*.yml \
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
输出约定
- - 报告模式下退出码为 0(默认)
- 当 FAILONCRITICAL=1 且存在一个或多个关键工作流时,退出码为 1
- 文本模式输出摘要及排序后的工作流列表
- JSON 模式输出摘要、排序后的工作流列表及关键工作流列表
