creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
04450304b12645cb2b974ab96d28c0664758a88d
Anthropic-Cybersecurity-Skills/skills/securing-github-actions-workflows/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

56 lines
1.8 KiB
Markdown
Raw Blame History

# API Reference: Securing GitHub Actions Workflows
## Security Checks
| Check | Risk | Severity |
|-------|------|----------|
| Unpinned actions (mutable tags) | Supply chain attack via tag overwrite | Medium |
| Missing permissions block | Inherits overly broad defaults | Medium |
| write-all permissions | Excessive token scope | High |
| Script injection in run steps | Code execution via PR title/body | High |
| pull_request_target trigger | Fork code runs with base permissions | High |
| Secrets in workflow logs | Credential exposure | Critical |
## Dangerous Expression Contexts
| Context | Risk |
|---------|------|
| `github.event.pull_request.title` | Attacker-controlled PR title |
| `github.event.pull_request.body` | Attacker-controlled PR body |
| `github.event.issue.title` | Attacker-controlled issue title |
| `github.event.comment.body` | Attacker-controlled comment |
| `github.head_ref` | Attacker-controlled branch name |
## SHA Pinning Format
| Format | Security |
|--------|----------|
| `actions/checkout@v4` | Insecure - mutable tag |
| `actions/checkout@b4ffde65f...` | Secure - immutable SHA |
## Permission Scopes
| Scope | Values |
|-------|--------|
| contents | read, write |
| actions | read, write |
| deployments | read, write |
| id-token | write (for OIDC) |
| security-events | write |
| pull-requests | read, write |
## Python Libraries
| Library | Version | Purpose |
|---------|---------|---------|
| `yaml` | PyYAML >=6.0 | Parse workflow YAML |
| `re` | stdlib | Pattern matching |
| `json` | stdlib | Report output |
| `pathlib` | stdlib | File discovery |
## References
- GitHub Actions Security Hardening: https://docs.github.com/en/actions/security-guides
- StepSecurity Harden Runner: https://github.com/step-security/harden-runner
- actionlint: https://github.com/rhysd/actionlint
Reference in New Issue View Git Blame Copy Permalink