Secure Your CI/CD Pipeline
GitHub Actions are the backbone of modern CI/CD, but misconfigured permissions can turn your automation into a security liability. This skill provides a specialized, evidence-first security audit and hardening workflow for your GitHub Actions YAML configurations.
What it does
The Permission Hardener goes beyond basic linting. It performs a deep heuristic scan of your workflow files to identify high-risk patterns that automated tools often miss. It evaluates:
- Permission Scoping: Identifies overbroad
GITHUB_TOKENpermissions and suggests least-privilege alternatives. - Supply Chain Security: Detects unpinned actions and unverified third-party scripts.
- Triggers & Injection: Flags unsafe
pull_request_targetusage and potential script injection points. - Resilience: Spots missing timeouts, concurrency conflicts, and cache poisoning risks.
Why use this skill
While generic AI prompts might give you vague advice, this skill uses a structured workflow involving local heuristic scripts and a specialized audit checklist. It ranks findings by severity (Critical to Info), provides exact evidence for every claim, and generates copy-paste remediation snippets that follow GitHub security best practices.
Output Format
Results are delivered in a developer-ready format including a scope of inspection, severity-ranked findings with cited evidence, and safe remediation templates. It clearly separates confirmed risks from hypotheses requiring manual verification.