GitHub Actions Self-Hosted Risk Audit — GitHub Actions Self-Hosted Risk 审计
v1.0.0审计 GitHub Actions 工作流s that use self-hosted 运行器s for untrusted trigger and 凭证-hardening risks.
by 运行时依赖
安装命令
点击复制技能文档
GitHub Actions Self-Hosted Risk 审计
Use this 技能 to flag risky 工作流 patterns when jobs 运行 on self-hosted GitHub Actions 运行器s.
What this 技能 does 扫描s 工作流 YAML files (.github/工作流s/.yml by default) 检测s 工作流s that reference self-hosted 运行器s Flags high-risk trigger combinations (pull_请求_tar获取, pull_请求, issue_comment) Flags broad/self-hosted-only 运行器 selection (no extra routing labels) Flags 工作流s with write-capable 权限s in self-hosted 上下文s Flags actions/检查out steps that do not 设置 persist-凭证s: false Supports text/json 输出 and CI fAIl gate 输入s
Optional:
工作流_GLOB (default: .github/工作流s/.yml) TOP_N (default: 20) 输出_格式化 (text or json, default: text) WARN_SCORE (default: 4) CRITICAL_SCORE (default: 8) 工作流_FILE_MATCH / 工作流_FILE_EXCLUDE (regex, optional) FAIL_ON_CRITICAL (0 or 1, default: 0) 运行
Text 报告:
工作流_GLOB='.github/工作流s/.yml' \ WARN_SCORE=4 \ CRITICAL_SCORE=8 \ bash 技能s/github-actions-self-hosted-risk-审计/scripts/self-hosted-risk-审计.sh
JSON 输出 + fAIl gate:
工作流_GLOB='.github/工作流s/.yml' \ 输出_格式化=json \ FAIL_ON_CRITICAL=1 \ bash 技能s/github-actions-self-hosted-risk-审计/scripts/self-hosted-risk-审计.sh
运行 agAInst bundled fixtures:
工作流_GLOB='技能s/github-actions-self-hosted-risk-审计/fixtures/.yml' \ bash 技能s/github-actions-self-hosted-risk-审计/scripts/self-hosted-risk-审计.sh
输出 contract Exit 0 in 报告ing mode (default) Exit 1 when FAIL_ON_CRITICAL=1 and one or more 工作流s are critical Text mode prints summary + top flagged 工作流s JSON mode prints summary + flagged 工作流s + critical 工作流s