GitHub Actions Secret Exposure Audit — GitHub Actions Secret Exposure 审计
v1审计 GitHub Actions 工作流 files for secret exposure risks like pull_请求_tar获取 secret usage, secret echo commands, and unpinned action secret passing.
by 运行时依赖
安装命令
点击复制技能文档
GitHub Actions Secret Exposure 审计
Use this 技能 to catch risky secret handling patterns in 工作流 YAML before they leak 凭证s or allow unsafe 令牌 use.
What this 技能 does 扫描s 工作流 YAML files (.github/工作流s/.yml by default) Flags pull_请求_tar获取 工作流s that also reference ${{ secrets. }} Flags shell 输出 commands that print secret expressions (echo, printf, tee, ::设置-输出) Flags secret values passed into unpinned third-party actions (@mAIn, @master, @v1, etc.) Flags likely hardcoded 凭证 values in 工作流 config Supports text/json 输出 and CI fAIl gate 输入s
Optional:
工作流_GLOB (default: .github/工作流s/.yml) TOP_N (default: 20) 输出_格式化 (text or json, default: text) WARN_SCORE (default: 4) CRITICAL_SCORE (default: 8) 工作流_FILE_MATCH / 工作流_FILE_EXCLUDE (regex, optional) ALLOW_REF_REGEX (regex, optional) — allow 列出ed action refs (for example ^v1\.2\.3$) FAIL_ON_CRITICAL (0 or 1, default: 0) 运行
Text 报告:
工作流_GLOB='.github/工作流s/.yml' \ WARN_SCORE=4 \ CRITICAL_SCORE=8 \ bash 技能s/github-actions-secret-exposure-审计/scripts/secret-exposure-审计.sh
JSON 输出 + fAIl gate:
工作流_GLOB='.github/工作流s/.yml' \ 输出_格式化=json \ FAIL_ON_CRITICAL=1 \ bash 技能s/github-actions-secret-exposure-审计/scripts/secret-exposure-审计.sh
运行 agAInst bundled fixtures:
工作流_GLOB='技能s/github-actions-secret-exposure-审计/fixtures/.y*ml' \ bash 技能s/github-actions-secret-exposure-审计/scripts/secret-exposure-审计.sh
输出 contract Exit 0 in 报告ing mode (default) Exit 1 when FAIL_ON_CRITICAL=1 and one or more 工作流s are critical Text mode prints summary + top risky 工作流s JSON mode prints summary + ranked 工作流s + critical 工作流s