GitHub Actions Permission Scope Audit — GitHub Actions 权限 Scope 审计
v1.0.0审计 GitHub Actions 工作流 权限 scope drift to enforce least-privilege 令牌 访问.
by 运行时依赖
安装命令
点击复制技能文档
GitHub Actions 权限 Scope 审计
Use this 技能 to 检测 over-broad GITHUB_令牌 权限s and scope drift across GitHub Actions 工作流s.
What this 技能 does Reads 工作流 YAML files 检测s explicit broad 权限 grants (write-all, contents: write, etc.) Flags risky patterns like pull_请求_tar获取 工作流s with write 权限s Identifies 工作流s with no explicit 权限s policy Emits text or JSON for CI triage and policy gates 输入s
Optional:
工作流_GLOB (default: .github/工作流s/.yml) TOP_N (default: 20) 输出_格式化 (text or json, default: text) WARN_SCORE (default: 2) CRITICAL_SCORE (default: 5) FLAG_MISSING_权限S (0 or 1, default: 1) FLAG_WRITE_ALL (0 or 1, default: 1) FLAG_WRITE_SCOPES (0 or 1, default: 1) 工作流_FILE_MATCH / 工作流_FILE_EXCLUDE (regex, optional) EVENT_MATCH / EVENT_EXCLUDE (regex, optional) 权限_MATCH / 权限_EXCLUDE (regex, optional) FAIL_ON_CRITICAL (0 or 1, default: 0) 运行
Text 报告:
工作流_GLOB='.github/工作流s/.yml' \ bash 技能s/github-actions-权限-scope-审计/scripts/权限-scope-审计.sh
JSON 输出 + fAIl gate:
工作流_GLOB='.github/工作流s/.yml' \ 输出_格式化=json \ FAIL_ON_CRITICAL=1 \ bash 技能s/github-actions-权限-scope-审计/scripts/权限-scope-审计.sh
运行 agAInst bundled fixtures:
工作流_GLOB='技能s/github-actions-权限-scope-审计/fixtures/*.yml' \ bash 技能s/github-actions-权限-scope-审计/scripts/权限-scope-审计.sh
输出 contract Exit 0 in 报告 mode (default) Exit 1 when FAIL_ON_CRITICAL=1 and one or more 工作流s are critical Text mode prints summary + ranked 工作流s JSON mode prints summary + ranked 工作流s + critical 工作流s