Anthropic-Cybersecurity-Skills/skills/securing-github-actions-workflows/references/api-reference.md

API Reference: Securing GitHub Actions Workflows

Security Checks

Check	Risk	Severity
Unpinned actions (mutable tags)	Supply chain attack via tag overwrite	Medium
Missing permissions block	Inherits overly broad defaults	Medium
write-all permissions	Excessive token scope	High
Script injection in run steps	Code execution via PR title/body	High
pull_request_target trigger	Fork code runs with base permissions	High
Secrets in workflow logs	Credential exposure	Critical

Dangerous Expression Contexts

Context	Risk
github.event.pull_request.title	Attacker-controlled PR title
github.event.pull_request.body	Attacker-controlled PR body
github.event.issue.title	Attacker-controlled issue title
github.event.comment.body	Attacker-controlled comment
github.head_ref	Attacker-controlled branch name

SHA Pinning Format

Format	Security
actions/checkout@v4	Insecure - mutable tag
actions/checkout@b4ffde65f...	Secure - immutable SHA

Permission Scopes

Scope	Values
contents	read, write
actions	read, write
deployments	read, write
id-token	write (for OIDC)
security-events	write
pull-requests	read, write

Python Libraries

Library	Version	Purpose
yaml	PyYAML >=6.0	Parse workflow YAML
re	stdlib	Pattern matching
json	stdlib	Report output
pathlib	stdlib	File discovery

References

• GitHub Actions Security Hardening: https://docs.github.com/en/actions/security-guides
• StepSecurity Harden Runner: https://github.com/step-security/harden-runner
• actionlint: https://github.com/rhysd/actionlint