Why does this skill recommend pinning actions to a commit SHA?

Version tags are mutable and can be updated by a malicious actor to point to compromised code; pinning to a specific commit SHA provides an immutable link to a verified version.

How does this skill help prevent script injection in GitHub Actions?

It identifies where untrusted input like PR titles or branch names are used directly in shell scripts and provides safe implementation patterns using environment variable mapping.

What tools does this skill support for automated scanning?

It provides configuration guidance and rule sets for popular security tools including zizmor, Scorecard, Actionlint, Poutine, and Harden-Runner.

Can this skill help me set up OIDC for AWS or GCP?

Yes, it provides the necessary workflow syntax and permission configurations to use OpenID Connect, allowing you to remove long-lived credentials from your repository secrets.

GitHub Actions Hardening

Name: GitHub Actions Hardening
Author: swannysec

byswannysec

0•

Security & Testing

Hardens GitHub Actions workflows against script injection, supply chain attacks, and unauthorized privilege escalation.

The GitHub Actions Hardening skill provides comprehensive security guidance for CI/CD pipelines, focusing on identifying and mitigating critical vulnerabilities like script injection and artifact poisoning. It assists developers in implementing enterprise-grade security controls, including SHA-pinning for third-party actions, OIDC federation to eliminate long-lived secrets, and least-privilege permission sets for the GITHUB_TOKEN. Whether you are auditing existing workflows for OWASP CI/CD risks or configuring secure self-hosted runners, this skill offers actionable patterns and integration support for leading security scanners like zizmor and OpenSSF Scorecard.

Key Features

01Security auditing for dangerous 'pull_request_target' and 'workflow_run' triggers

020 GitHub stars

03Hardening strategies for self-hosted runners and environment protection rules

04Detection of script and template injection vulnerabilities in workflow 'run' blocks

05Configuration of OIDC and ephemeral credentials for cloud provider access

06Implementation of immutable SHA-pinning for supply chain protection

Use Cases

01Migrating from static cloud secrets to secure, short-lived OIDC tokens

02Auditing GitHub Actions for compliance with CIS benchmarks and OpenSSF Scorecard

03Remediating supply chain vulnerabilities like compromised or redirected action tags

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add swannysec/robot-tools gha-hardening

For use in Claude.ai and ChatGPT

Download Skill