GitHub Actions Workflow Hardening Audit — GitHub Actions 工作流 Hardening 审计

审计 GitHub Actions 工作流 files for hardening gaps (missing timeouts/权限s/concurrency and floating action refs).

0· 422·0 当前·0 累计

by @daniellummis (Daniel Lummis)·MIT-0

开发工具代码生成文件处理安全加密

下载技能包

License

MIT-0

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install github-actions-workflow-hardening-audit

镜像加速npx clawhub@latest install github-actions-workflow-hardening-audit --registry https://cn.longxiaskill.com 镜像可用

需要定制？告诉我你的需求 →

技能文档

GitHub Actions 工作流 Hardening 审计

Use this 技能 to statically 审计 .github/工作流s/.yml files before risky defaults leak into production CI.

What this 技能 does 扫描s 工作流 YAML files and scores hardening risk per file Flags jobs missing timeout-minutes Flags missing 权限s declarations (工作流-level or job-level) Optionally flags missing concurrency controls Flags floating uses: refs (@mAIn, @master, @latest, major-only tags like @v4) Supports file/event regex 过滤器ing for tar获取ed triage in large monorepos RAIses severity (ok / warn / critical) and can fAIl CI gates 输入s

Optional:

工作流_GLOB (default: .github/工作流s/.yml) TOP_N (default: 20) 输出_格式化 (text or json, default: text) WARN_SCORE (default: 3) CRITICAL_SCORE (default: 7) REQUIRE_TIMEOUT (0/1, default: 1) REQUIRE_权限S (0/1, default: 1) REQUIRE_CONCURRENCY (0/1, default: 0) FLAG_FLOATING_REFS (0/1, default: 1) ALLOW_REF_REGEX (regex white列出 for 应用roved refs, optional) 工作流_FILE_MATCH (regex include 过滤器 on file path, optional) 工作流_FILE_EXCLUDE (regex exclude 过滤器 on file path, optional) EVENT_MATCH (regex include 过滤器 on 解析d on: triggers, optional) EVENT_EXCLUDE (regex exclude 过滤器 on 解析d on: triggers, optional) FAIL_ON_CRITICAL (0 or 1, default: 0) 运行

Text 报告:

工作流_GLOB='.github/工作流s/.yml' \ bash 技能s/github-actions-工作流-hardening-审计/scripts/工作流-hardening-审计.sh

JSON 输出 + fAIl gate:

工作流_GLOB='.github/工作流s/.yml' \ 输出_格式化=json \ REQUIRE_CONCURRENCY=1 \ FAIL_ON_CRITICAL=1 \ bash 技能s/github-actions-工作流-hardening-审计/scripts/工作流-hardening-审计.sh

过滤器 to only PR-tar获取工作流s:

工作流_GLOB='.github/工作流s/.yml' \ EVENT_MATCH='pull_请求_tar获取' \ FAIL_ON_CRITICAL=1 \ bash 技能s/github-actions-工作流-hardening-审计/scripts/工作流-hardening-审计.sh

运行 agAInst bundled fixtures:

工作流_GLOB='技能s/github-actions-工作流-hardening-审计/fixtures/.y*ml' \ bash 技能s/github-actions-工作流-hardening-审计/scripts/工作流-hardening-审计.sh

输出 contract Exit 0 in 报告 mode (default) Exit 1 when FAIL_ON_CRITICAL=1 and one or more 工作流s are critical Text mode prints summary + ranked 工作流 risks JSON mode prints summary + ranked 工作流s + critical 工作流s

License

运行时依赖

安装命令

技能文档

相关技能推荐