github-actions-oidc-hardening-audit

What This Skill Does

The github-actions-oidc-hardening-audit skill is a specialized security tool designed to identify and remediate risky authentication patterns within GitHub Actions workflows. As organizations shift toward OIDC (OpenID Connect) for cloud provider authentication, misconfigurations often leave infrastructure vulnerable to privilege escalation or secret exposure. This skill automates the detection of common OIDC hardening gaps by scanning YAML workflows for insecure practices. It detects usage of major cloud-auth actions like aws-actions/configure-aws-credentials, google-github-actions/auth, and azure/login. Specifically, it flags missing permissions.id-token: write blocks (which are required for OIDC), identifies the presence of static, long-lived cloud secrets, and detects floating action references (e.g., tags like @v1 or @master) that may lead to supply chain vulnerabilities. By scoring findings based on severity, it allows teams to prioritize technical debt and ensure their CI/CD pipelines adhere to zero-trust principles.

Installation

To integrate this skill into your OpenClaw environment, execute the following command via your terminal: clawhub install openclaw/skills/skills/daniellummis/github-actions-oidc-hardening-audit Ensure you have the necessary repository permissions to pull from the openclaw/skills source. Once installed, the skill can be invoked directly through your OpenClaw agent workflow using the documented shell scripts provided in the skill directory.

Use Cases

• Pre-deployment Security Auditing: Automatically audit all new PR workflows to ensure OIDC compliance before they merge into production.
• Legacy Migration: Identify which legacy workflows rely on static AWS access keys, enabling a structured migration to OIDC roles.
• Compliance Reporting: Generate JSON reports to track the security posture of your organization's CI/CD infrastructure over time.
• CI Gatekeeping: Configure automated pipelines to fail builds if critical security violations are detected, preventing insecure configurations from ever reaching your repository.

Example Prompts

1. "OpenClaw, please run the OIDC hardening audit on all workflow files in the current repository and output the findings as a summary report."
2. "Scan the .github/workflows/ directory for any cloud authentication workflows that are currently missing the mandatory id-token: write permission."
3. "Execute a critical audit on our main branch workflows; if any static secrets are detected, provide the file paths and block the build process."

Tips & Limitations

• Ref Allow-listing: Use the ALLOW_REF_REGEX parameter to whitelist specific action versions if you have validated them for internal use, reducing false positives.
• Regex Precision: Be mindful that the WORKFLOW_FILE_MATCH regex is case-sensitive and must be formatted correctly to prevent skipping essential files.
• Limitations: The skill primarily performs static analysis of YAML syntax. It cannot detect runtime environment variables injected via GitHub Secrets that might inadvertently contain static credentials if they are not explicitly named according to standard cloud patterns.