个人中心
今日签到
私信列表
消息中心
搜索全站
q_code

扫码关注官方微信
cell_code

扫码下载APP
返回顶部
技能集市 > AI智能 > github-actions-workflow-hardening-audit
g

github-actions-workflow-hardening-audit

Audit GitHub Actions workflow files for hardening gaps (missing timeouts/permissions/concurrency and floating action refs).

作者: admin | 来源: ClawHub
源自
ClawHub
版本
V 1.1.0
安全检测
已通过
294
下载量
0
收藏
概述
安装方式
版本历史

github-actions-workflow-hardening-audit

# GitHub Actions Workflow Hardening Audit Use this skill to statically audit `.github/workflows/*.yml` files before risky defaults leak into production CI. ## What this skill does - Scans workflow YAML files and scores hardening risk per file - Flags jobs missing `timeout-minutes` - Flags missing `permissions` declarations (workflow-level or job-level) - Optionally flags missing `concurrency` controls - Flags floating `uses:` refs (`@main`, `@master`, `@latest`, major-only tags like `@v4`) - Supports file/event regex filtering for targeted triage in large monorepos - Raises severity (`ok` / `warn` / `critical`) and can fail CI gates ## Inputs Optional: - `WORKFLOW_GLOB` (default: `.github/workflows/*.y*ml`) - `TOP_N` (default: `20`) - `OUTPUT_FORMAT` (`text` or `json`, default: `text`) - `WARN_SCORE` (default: `3`) - `CRITICAL_SCORE` (default: `7`) - `REQUIRE_TIMEOUT` (`0`/`1`, default: `1`) - `REQUIRE_PERMISSIONS` (`0`/`1`, default: `1`) - `REQUIRE_CONCURRENCY` (`0`/`1`, default: `0`) - `FLAG_FLOATING_REFS` (`0`/`1`, default: `1`) - `ALLOW_REF_REGEX` (regex whitelist for approved refs, optional) - `WORKFLOW_FILE_MATCH` (regex include filter on file path, optional) - `WORKFLOW_FILE_EXCLUDE` (regex exclude filter on file path, optional) - `EVENT_MATCH` (regex include filter on parsed `on:` triggers, optional) - `EVENT_EXCLUDE` (regex exclude filter on parsed `on:` triggers, optional) - `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`) ## Run Text report: ```bash WORKFLOW_GLOB='.github/workflows/*.y*ml' \ bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh ``` JSON output + fail gate: ```bash WORKFLOW_GLOB='.github/workflows/*.y*ml' \ OUTPUT_FORMAT=json \ REQUIRE_CONCURRENCY=1 \ FAIL_ON_CRITICAL=1 \ bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh ``` Filter to only PR-target workflows: ```bash WORKFLOW_GLOB='.github/workflows/*.y*ml' \ EVENT_MATCH='pull_request_target' \ FAIL_ON_CRITICAL=1 \ bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh ``` Run against bundled fixtures: ```bash WORKFLOW_GLOB='skills/github-actions-workflow-hardening-audit/fixtures/*.y*ml' \ bash skills/github-actions-workflow-hardening-audit/scripts/workflow-hardening-audit.sh ``` ## Output contract - Exit `0` in report mode (default) - Exit `1` when `FAIL_ON_CRITICAL=1` and one or more workflows are critical - Text mode prints summary + ranked workflow risks - JSON mode prints summary + ranked workflows + critical workflows

标签

skill ai

通过对话安装

该技能支持在以下平台通过对话安装:

OpenClaw WorkBuddy QClaw Kimi Claude

方式一:安装 SkillHub 和技能

帮我安装 SkillHub 和 github-actions-workflow-hardening-audit-1776193354 技能

方式二:设置 SkillHub 为优先技能安装源

设置 SkillHub 为我的优先技能安装源,然后帮我安装 github-actions-workflow-hardening-audit-1776193354 技能

通过命令行安装

skillhub install github-actions-workflow-hardening-audit-1776193354

下载 Zip 包

⬇ 下载 github-actions-workflow-hardening-audit v1.1.0

文件大小: 5.29 KB | 发布时间: 2026-4-15 11:04

v1.1.0 最新 2026-4-15 11:04
Add file/event regex filters for targeted workflow triage in large repos

相关推荐

s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392882
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392877
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3195 ⬇ 389507
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3177 ⬇ 386566
AI智能

多链集团旗下-闲社网

闲社网热线
免费联系电话
0527-80111111
            qqline

服务时间:周一到周日 8:00-24:00

  • 公众号
    闲社 闲社线报社区
关注闲社网
  • wxkf

    闲社在线客服

  • wx

    关注闲社网微信

  • app

    闲社网APP

Archiver·手机版·闲社网·闲社论坛·羊毛社区· 多链控股集团有限公司 · 苏ICP备2025199260号-1

Powered by Discuz! X5.0   © 2024-2025 闲社网·线报更新论坛·羊毛分享社区·http://xianshe.com

p2p_official_large
返回顶部