mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-10 21:24:56 +03:00
mukul975
1.2 KiB
1.2 KiB
Workflow Reference: Securing GitHub Actions
Hardening Checklist
- Pin all actions to SHA digests
- Set restrictive default permissions
- Sanitize all user-controlled inputs
- Never use pull_request_target with PR checkout
- Enable environment protection for production
- Configure CODEOWNERS for workflow files
- Enable Dependabot for github-actions
- Audit third-party actions quarterly
- Use OIDC instead of long-lived cloud credentials
- Add harden-runner for network monitoring
Permission Scoping Reference
| Permission | Use Case |
|---|---|
| contents: read | Checkout code |
| contents: write | Create releases, push tags |
| security-events: write | Upload SARIF results |
| packages: write | Push container images |
| deployments: write | Create deployment status |
| id-token: write | OIDC cloud authentication |
| pull-requests: write | Comment on PRs |
Script Injection Prevention
# DANGEROUS patterns to avoid:
run: echo "${{ github.event.issue.title }}"
run: echo "${{ github.event.comment.body }}"
run: echo "${{ github.head_ref }}"
# SAFE alternatives:
env:
TITLE: ${{ github.event.issue.title }}
run: echo "${TITLE}"