github-actions-secret-exposure-audit

What This Skill Does

The github-actions-secret-exposure-audit skill serves as a security-focused static analysis tool tailored specifically for GitHub Actions workflows. Its primary function is to identify common, dangerous patterns in YAML configuration files that could lead to the unintended exposure of secrets, API keys, or sensitive credentials. By scanning workflow definitions, the tool proactively detects risky behaviors such as using ${{ secrets.* }} within pull_request_target event triggers, which is a common vector for secret exfiltration via malicious PRs. Furthermore, it inspects shell commands like echo, printf, and tee to ensure developers aren't accidentally printing masked values to logs, while also flagging secret references passed to unpinned third-party actions—a practice that risks data interception by compromised action versions.

Installation

To integrate this auditing capability into your environment, use the OpenClaw command-line interface. Run the following command: clawhub install openclaw/skills/skills/daniellummis/github-actions-secret-exposure-audit Ensure you have the necessary repository permissions if installing from a private source. Once installed, the skill resides in your local skill directory and can be invoked via the scripts provided in the package.

Use Cases

This skill is essential for DevOps engineers and security auditors who need to maintain a secure CI/CD posture. Use it during pre-commit hooks or as part of a CI pipeline audit job to ensure compliance with company security policies. It is particularly valuable during security refactoring sprints, where a massive influx of legacy YAML files needs to be audited for potential leaks. Teams that allow third-party marketplace actions will find it helpful for enforcing pinning policies, ensuring that sensitive environment variables are only passed to trusted, immutable versions of code.

Example Prompts

1. "Run a secret exposure audit on all workflow files in the current repository and output the results in JSON format."
2. "Scan the workflow directory and fail the pipeline if any critical secret exposure risks are detected."
3. "Check for secret usage in pull_request_target workflows using the standard warning score threshold of 4."

Tips & Limitations

To maximize the effectiveness of this audit, ensure that your WORKFLOW_GLOB is configured correctly to cover all relevant paths. While the tool is highly effective at catching structural vulnerabilities, it performs static analysis; it cannot determine runtime behavior or runtime environment mutations. It is recommended to use this alongside dynamic secret management solutions like HashiCorp Vault or GitHub's native environment protection rules. The ALLOW_REF_REGEX feature is your best friend when you have legitimate, internal third-party actions that use custom versioning schemas outside of standard semantic versioning.