GitHub Actions Workflow Hardening Audit
Use this skill to statically audit .github/workflows/*.yml files before risky defaults leak into production CI.
What this skill does
- - Scans workflow YAML files and scores hardening risk per file
- Flags jobs missing �INLINECODE1
- Flags missing
permissions declarations (workflow-level or job-level) - Optionally flags missing
concurrency controls - Flags floating
uses: refs (@main, @master, @latest, major-only tags like @v4) - Supports file/event regex filtering for targeted triage in large monorepos
- Raises severity (
ok / warn / critical) and can fail CI gates
Inputs
Optional:
- -
WORKFLOW_GLOB (default: .github/workflows/*.y*ml) - INLINECODE14� (default:
20) - INLINECODE16� (
text or json, default: text) - INLINECODE20� (default:
3) - INLINECODE22� (default:
7) - INLINECODE24� (
0/1, default: 1) - INLINECODE28� (
0/1, default: 1) - INLINECODE32� (
0/1, default: 0) - INLINECODE36� (
0/1, default: 1) - INLINECODE40� (regex whitelist for approved refs, optional)
- INLINECODE41� (regex include filter on file path, optional)
- INLINECODE42� (regex exclude filter on file path, optional)
- INLINECODE43� (regex include filter on parsed
on: triggers, optional) - INLINECODE45� (regex exclude filter on parsed
on: triggers, optional) - INLINECODE47� (
0 or 1, default: 0)
Run
Text report:
CODEBLOCK0
JSON output + fail gate:
CODEBLOCK1
Filter to only PR-target workflows:
CODEBLOCK2
Run against bundled fixtures:
CODEBLOCK3
Output contract
- - Exit
0 in report mode (default) - Exit
1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical - Text mode prints summary + ranked workflow risks
- JSON mode prints summary + ranked workflows + critical workflows
GitHub Actions 工作流安全加固审计
使用此技能对 .github/workflows/*.yml 文件进行静态审计,防止存在风险的默认配置泄露到生产环境的 CI 中。
此技能的功能
- - 扫描工作流 YAML 文件,并对每个文件的安全加固风险进行评分
- 标记缺少 timeout-minutes 的作业
- 标记缺少 permissions 声明(工作流级别或作业级别)
- 可选地标记缺少 concurrency 控制
- 标记浮动的 uses: 引用(@main、@master、@latest、仅主版本号的标签如 @v4)
- 支持文件/事件正则表达式过滤,用于大型单体仓库中的定向分类
- 提升严重级别(ok / warn / critical),并可触发 CI 门禁失败
输入参数
可选参数:
- - WORKFLOWGLOB(默认值:.github/workflows/.yml)
- TOPN(默认值:20)
- OUTPUTFORMAT(text 或 json,默认值:text)
- WARNSCORE(默认值:3)
- CRITICALSCORE(默认值:7)
- REQUIRETIMEOUT(0/1,默认值:1)
- REQUIREPERMISSIONS(0/1,默认值:1)
- REQUIRECONCURRENCY(0/1,默认值:0)
- FLAGFLOATINGREFS(0/1,默认值:1)
- ALLOWREFREGEX(已批准引用的正则表达式白名单,可选)
- WORKFLOWFILEMATCH(文件路径的正则表达式包含过滤器,可选)
- WORKFLOWFILEEXCLUDE(文件路径的正则表达式排除过滤器,可选)
- EVENTMATCH(解析后的 on: 触发器的正则表达式包含过滤器,可选)
- EVENTEXCLUDE(解析后的 on: 触发器的正则表达式排除过滤器,可选)
- FAILONCRITICAL(0 或 1,默认值:0)
运行
文本报告:
bash
WORKFLOW_GLOB=.github/workflows/.yml \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
JSON 输出 + 失败门禁:
bash
WORKFLOW_GLOB=.github/workflows/.yml \
OUTPUT_FORMAT=json \
REQUIRE_CONCURRENCY=1 \
FAILONCRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
仅过滤 PR 目标工作流:
bash
WORKFLOW_GLOB=.github/workflows/.yml \
EVENTMATCH=pullrequest_target \
FAILONCRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
对捆绑的测试用例运行:
bash
WORKFLOW_GLOB=skills/github-actions-workflow-hardening-audit/fixtures/.yml \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh
输出约定
- - 在报告模式下退出码为 0(默认)
- 当 FAILONCRITICAL=1 且一个或多个工作流为严重级别时,退出码为 1
- 文本模式打印摘要 + 按排名排列的工作流风险
- JSON 模式打印摘要 + 按排名排列的工作流 + 严重级别的工作流
