GitHub Actions Workflow Hardening Audit

v1.1.0

Audit GitHub Actions workflow files for hardening gaps (missing timeouts/permissions/concurrency and floating action refs).

⭐ 0· 330·1 current·1 all-time

byDaniel Lummis@daniellummis

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daniellummis/github-actions-workflow-hardening-audit.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "GitHub Actions Workflow Hardening Audit" (daniellummis/github-actions-workflow-hardening-audit) from ClawHub.
Skill page: https://clawhub.ai/daniellummis/github-actions-workflow-hardening-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-actions-workflow-hardening-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-actions-workflow-hardening-audit

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the actual behavior. Required binaries (bash, python3) are reasonable for a script that shells out to run an embedded Python program. There are no unrelated environment variables, credentials, or config paths requested.

ℹ

Instruction Scope

Runtime instructions and the included script are limited to reading workflow YAML files (glob, include/exclude filters, event filters) and producing a text/JSON report. It does not call external network endpoints or request secrets. Caution: the script parses YAML via regex/line scanning (not a YAML parser), so it can produce false positives/negatives and may mis-handle complex workflow files. The script prints file paths, scores, events, and 'uses' refs — review output if you consider file paths or refs sensitive.

✓

Install Mechanism

Instruction-only skill with no install spec. The only code is the provided script; nothing is downloaded or written to disk beyond running the included script.

✓

Credentials

No credentials or privileged environment variables are required. Optional environment variables control filters and thresholds; these are proportional to the audit task. The script may output workflow file paths and referenced action refs, which you should treat as potentially sensitive information if your repo contains secret-related configuration.

✓

Persistence & Privilege

Skill does not request persistent presence (always=false) and does not modify agent or system configuration. It runs as an on-demand script and does not attempt to store tokens or alter other skills.

Assessment

This skill appears to do exactly what it says: statically scan .github/workflows files and report hardening gaps. Before running: (1) review the included script yourself (it's plain Python/Bash) to ensure its behavior is acceptable; (2) run it on a copy or limited glob if you are concerned about scanning many files; (3) be aware its YAML parsing is line-oriented/regex-based (not a full YAML parser) so verify any critical findings manually; (4) the tool prints file paths and action refs — avoid running it in contexts where printing those to logs would leak sensitive repository details.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, python3

latestvk971rszf0v4q518vdjsrph5jcs82fe1y

330downloads

0stars

2versions

Updated 1mo ago

v1.1.0

MIT-0

GitHub Actions Workflow Hardening Audit

Use this skill to statically audit .github/workflows/*.yml files before risky defaults leak into production CI.

What this skill does

Scans workflow YAML files and scores hardening risk per file
Flags jobs missing timeout-minutes
Flags missing permissions declarations (workflow-level or job-level)
Optionally flags missing concurrency controls
Flags floating uses: refs (@main, @master, @latest, major-only tags like @v4)
Supports file/event regex filtering for targeted triage in large monorepos
Raises severity (ok / warn / critical) and can fail CI gates

Inputs

Optional:

WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
WARN_SCORE (default: 3)
CRITICAL_SCORE (default: 7)
REQUIRE_TIMEOUT (0/1, default: 1)
REQUIRE_PERMISSIONS (0/1, default: 1)
REQUIRE_CONCURRENCY (0/1, default: 0)
FLAG_FLOATING_REFS (0/1, default: 1)
ALLOW_REF_REGEX (regex whitelist for approved refs, optional)
WORKFLOW_FILE_MATCH (regex include filter on file path, optional)
WORKFLOW_FILE_EXCLUDE (regex exclude filter on file path, optional)
EVENT_MATCH (regex include filter on parsed on: triggers, optional)
EVENT_EXCLUDE (regex exclude filter on parsed on: triggers, optional)
FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
REQUIRE_CONCURRENCY=1 \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

Filter to only PR-target workflows:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
EVENT_MATCH='pull_request_target' \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-workflow-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh

Output contract

Exit 0 in report mode (default)
Exit 1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical
Text mode prints summary + ranked workflow risks
JSON mode prints summary + ranked workflows + critical workflows

Comments

Loading comments...