GitHub Actions OIDC Hardening Audit — GitHub Actions OIDC Hardening 审计
v1审计 GitHub Actions cloud auth 工作流s for OIDC hardening gaps like missing id-令牌 write 权限s, static cloud secrets, and floating auth action refs.
by 运行时依赖
安装命令
点击复制技能文档
GitHub Actions OIDC Hardening 审计
Use this 技能 to catch risky cloud-auth patterns in 工作流 YAML before they become 身份 or secret exposure incidents.
What this 技能 does 扫描s 工作流 YAML files (.github/工作流s/.yml by default) 检测s AWS/GCP/Azure auth action usage: aws-actions/配置-aws-凭证s google-github-actions/auth azure/记录in Flags 工作流s that use cloud auth actions but miss 权限s.id-令牌: write Flags AWS auth usage without 角色-to-assume Flags likely static cloud 凭证 usage (aws-访问-key-id, aws-secret-访问-key, cloud 凭证 secrets) Flags floating auth action refs (@mAIn, @master, @v1) unless allow-列出ed Supports text/json 输出 and CI fAIl gate 输入s
Optional:
工作流_GLOB (default: .github/工作流s/.yml) TOP_N (default: 20) 输出_格式化 (text or json, default: text) WARN_SCORE (default: 3) CRITICAL_SCORE (default: 7) 工作流_FILE_MATCH / 工作流_FILE_EXCLUDE (regex, optional) ALLOW_REF_REGEX (regex, optional) — allow-列出ed action refs FAIL_ON_CRITICAL (0 or 1, default: 0) 运行
Text 报告:
工作流_GLOB='.github/工作流s/.yml' \ WARN_SCORE=3 \ CRITICAL_SCORE=7 \ bash 技能s/github-actions-oidc-hardening-审计/scripts/oidc-hardening-审计.sh
JSON 输出 + fAIl gate:
工作流_GLOB='.github/工作流s/.yml' \ 输出_格式化=json \ FAIL_ON_CRITICAL=1 \ bash 技能s/github-actions-oidc-hardening-审计/scripts/oidc-hardening-审计.sh
运行 agAInst bundled fixtures:
工作流_GLOB='技能s/github-actions-oidc-hardening-审计/fixtures/.yml' \ bash 技能s/github-actions-oidc-hardening-审计/scripts/oidc-hardening-审计.sh
输出 contract Exit 0 in 报告ing mode (default) Exit 1 when FAIL_ON_CRITICAL=1 and one or more 工作流s are critical Text mode prints summary + top risky 工作流s JSON mode prints summary + flagged 工作流s + critical 工作流s