Github Actions Permission Hardener

Audit and harden GitHub Actions workflows against overbroad permissions, secrets exposure, and supply-chain risks.

Install
cmdop skills install agensi-github-actions-permission-hardener

Secure Your CI/CD Pipeline

GitHub Actions are the backbone of modern CI/CD, but misconfigured permissions can turn your automation into a security liability. This skill provides a specialized, evidence-first security audit and hardening workflow for your GitHub Actions YAML configurations.

What it does

The Permission Hardener goes beyond basic linting. It performs a deep heuristic scan of your workflow files to identify high-risk patterns that automated tools often miss. It evaluates:

  • Permission Scoping: Identifies overbroad GITHUB_TOKEN permissions and suggests least-privilege alternatives.
  • Supply Chain Security: Detects unpinned actions and unverified third-party scripts.
  • Triggers & Injection: Flags unsafe pull_request_target usage and potential script injection points.
  • Resilience: Spots missing timeouts, concurrency conflicts, and cache poisoning risks.

Why use this skill

While generic AI prompts might give you vague advice, this skill uses a structured workflow involving local heuristic scripts and a specialized audit checklist. It ranks findings by severity (Critical to Info), provides exact evidence for every claim, and generates copy-paste remediation snippets that follow GitHub security best practices.

Output Format

Results are delivered in a developer-ready format including a scope of inspection, severity-ranked findings with cited evidence, and safe remediation templates. It clearly separates confirmed risks from hypotheses requiring manual verification.