github-actions-workflow-hardening-audit

What This Skill Does

The github-actions-workflow-hardening-audit skill is a robust security analysis tool designed to statically scan GitHub Actions YAML files. In modern CI/CD environments, developers often overlook critical hardening configurations, leading to potential supply chain vulnerabilities. This skill automates the identification of missing timeouts, insufficient permissions, lack of concurrency controls, and the use of insecure, floating action references (such as @main or @latest). By scoring workflows based on these risk factors, the skill provides actionable intelligence to maintain a secure posture before code is merged. It supports advanced filtering options via regex, allowing teams to target specific workflows, events, or directory structures, and can be integrated directly into CI pipelines to enforce security gates by failing builds that do not meet defined safety thresholds.

Installation

To install this skill, use the OpenClaw CLI from your terminal: clawhub install openclaw/skills/skills/daniellummis/github-actions-workflow-hardening-audit Ensure you have the OpenClaw environment initialized and that your local environment satisfies any runtime dependencies required by the shell scripts provided in the repository.

Use Cases

This skill is indispensable for DevSecOps engineers and developers concerned with pipeline integrity. Primary use cases include:

1. Legacy Audit: Scanning an existing repository to baseline the current security debt of GitHub Actions files.
2. CI Guardrail: Implementing a fail-gate in pull requests to ensure no new workflows are added without proper timeout or permission settings.
3. Monorepo Triage: Using regex filters to ignore legacy folders or specific test workflows while focusing security resources on high-traffic production delivery pipelines.
4. Compliance Reporting: Generating a JSON-formatted risk report to demonstrate to security auditors that your organization is proactively managing CI/CD risks.

Example Prompts

1. "Run a full audit on all workflows in this repository and tell me which ones are currently flagged as critical risk."
2. "Audit our GitHub Actions for missing timeout and permission settings, but exclude any workflows in the tests directory."
3. "Perform a security check on workflows triggered by pull_request_target and fail the operation if any are found with a critical hardening score."

Tips & Limitations

To maximize the utility of this skill, prioritize the REQUIRE_CONCURRENCY setting, as it prevents race conditions in production deployments. Be aware that the ALLOW_REF_REGEX feature is a powerful tool to enforce strict versioning (e.g., forcing SHA-based references); however, it requires careful maintenance of your whitelist. The tool is designed for static analysis and does not execute the actual workflows, which makes it safe to run in any CI environment. Limitations include a dependency on standard YAML formatting; highly non-standard or dynamically generated workflows might require manual verification.