GitHub Actions Secret Exposure Audit
Use this skill to catch risky secret handling patterns in workflow YAML before they leak credentials or allow unsafe token use.
What this skill does
- - Scans workflow YAML files (
.github/workflows/*.yml by default) - Flags
pull_request_target workflows that also reference �INLINECODE2 - Flags shell output commands that print secret expressions (
echo, printf, tee, ::set-output) - Flags secret values passed into unpinned third-party actions (
@main, @master, @v1, etc.) - Flags likely hardcoded credential values in workflow config
- Supports text/json output and CI fail gate
Inputs
Optional:
- -
WORKFLOW_GLOB (default: .github/workflows/*.y*ml) - INLINECODE12� (default:
20) - INLINECODE14� (
text or json, default: text) - INLINECODE18� (default:
4) - INLINECODE20� (default:
8) - INLINECODE22� /
WORKFLOW_FILE_EXCLUDE (regex, optional) - INLINECODE24� (regex, optional) — allow listed action refs (for example
^v1\.2\.3$) - INLINECODE26� (
0 or 1, default: 0)
Run
Text report:
CODEBLOCK0
JSON output + fail gate:
CODEBLOCK1
Run against bundled fixtures:
CODEBLOCK2
Output contract
- - Exit
0 in reporting mode (default) - Exit
1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical - Text mode prints summary + top risky workflows
- JSON mode prints summary + ranked workflows + critical workflows
GitHub Actions 密钥泄露审计
使用此技能可在工作流YAML文件中发现危险的密钥处理模式,防止凭证泄露或令牌被不当使用。
该技能的功能
- - 扫描工作流YAML文件(默认路径:.github/workflows/.yml)
- 标记同时引用${{ secrets. }}的pullrequesttarget工作流
- 标记输出密钥表达式的shell输出命令(echo、printf、tee、::set-output)
- 标记传入未锁定第三方操作(@main、@master、@v1等)的密钥值
- 标记工作流配置中疑似硬编码的凭证值
- 支持文本/JSON输出及CI失败门控
输入参数
可选参数:
- - WORKFLOWGLOB(默认值:.github/workflows/.yml)
- TOPN(默认值:20)
- OUTPUTFORMAT(text或json,默认值:text)
- WARNSCORE(默认值:4)
- CRITICALSCORE(默认值:8)
- WORKFLOWFILEMATCH / WORKFLOWFILEEXCLUDE(正则表达式,可选)
- ALLOWREFREGEX(正则表达式,可选)— 允许的操作引用列表(例如^v1\.2\.3$)
- FAILON_CRITICAL(0或1,默认值:0)
运行方式
文本报告:
bash
WORKFLOW_GLOB=.github/workflows/*.yml \
WARN_SCORE=4 \
CRITICAL_SCORE=8 \
bash skills/github-actions-secret-exposure-audit/scripts/secret-exposure-audit.sh
JSON输出 + 失败门控:
bash
WORKFLOW_GLOB=.github/workflows/.yml \
OUTPUT_FORMAT=json \
FAILONCRITICAL=1 \
bash skills/github-actions-secret-exposure-audit/scripts/secret-exposure-audit.sh
对捆绑的测试夹具运行:
bash
WORKFLOW_GLOB=skills/github-actions-secret-exposure-audit/fixtures/.yml \
bash skills/github-actions-secret-exposure-audit/scripts/secret-exposure-audit.sh
输出约定
- - 报告模式下退出码为0(默认)
- 当FAILONCRITICAL=1且存在一个或多个关键工作流时,退出码为1
- 文本模式打印摘要 + 高风险工作流排名
- JSON模式打印摘要 + 排名工作流 + 关键工作流
