Github Actions Permission Hardener
Audit and harden GitHub Actions workflows against overbroad permissions, secrets exposure, and supply-chain risks.
- Enforce least-privilege GITHUB_TOKEN permissions across all workflows
- Identify and fix unsafe pull_request_target configurations
- Pin third-party actions to specific SHAs to prevent supply chain attacks
$19
· or 95 creditsSecure checkout via Stripe
Included in download
- Enforce least-privilege GITHUB_TOKEN permissions across all workflows
- Identify and fix unsafe pull_request_target configurations
- terminal, file_read automation included
- Ready for Works with Claude Code
Sample input
Audit my .github/workflows/deploy.yml file for security risks and suggest hardening steps.
Sample output
### Confirmed Findings - **High**: Overbroad permissions. `permissions: write-all` detected. - **Medium**: Unpinned Action. `uses: actions/checkout@v2` should use a SHA. ### Fix ```yaml permissions: contents: read deployments: write ``` (Apply fix? [Y/N])
Github Actions Permission Hardener
Audit and harden GitHub Actions workflows against overbroad permissions, secrets exposure, and supply-chain risks.
$19
· or 95 creditsSecure checkout via Stripe
Included in download
- Enforce least-privilege GITHUB_TOKEN permissions across all workflows
- Identify and fix unsafe pull_request_target configurations
- terminal, file_read automation included
- Ready for Works with Claude Code
- Instant install
Sample input
Audit my .github/workflows/deploy.yml file for security risks and suggest hardening steps.
Sample output
### Confirmed Findings - **High**: Overbroad permissions. `permissions: write-all` detected. - **Medium**: Unpinned Action. `uses: actions/checkout@v2` should use a SHA. ### Fix ```yaml permissions: contents: read deployments: write ``` (Apply fix? [Y/N])
About This Skill
Secure Your CI/CD Pipeline
GitHub Actions are the backbone of modern CI/CD, but misconfigured permissions can turn your automation into a security liability. This skill provides a specialized, evidence-first security audit and hardening workflow for your GitHub Actions YAML configurations.
What it does
The Permission Hardener goes beyond basic linting. It performs a deep heuristic scan of your workflow files to identify high-risk patterns that automated tools often miss. It evaluates:
- Permission Scoping: Identifies overbroad
GITHUB_TOKENpermissions and suggests least-privilege alternatives. - Supply Chain Security: Detects unpinned actions and unverified third-party scripts.
- Triggers & Injection: Flags unsafe
pull_request_targetusage and potential script injection points. - Resilience: Spots missing timeouts, concurrency conflicts, and cache poisoning risks.
Why use this skill
While generic AI prompts might give you vague advice, this skill uses a structured workflow involving local heuristic scripts and a specialized audit checklist. It ranks findings by severity (Critical to Info), provides exact evidence for every claim, and generates copy-paste remediation snippets that follow GitHub security best practices.
Output Format
Results are delivered in a developer-ready format including a scope of inspection, severity-ranked findings with cited evidence, and safe remediation templates. It clearly separates confirmed risks from hypotheses requiring manual verification.
Use Cases
- Enforce least-privilege GITHUB_TOKEN permissions across all workflows
- Identify and fix unsafe pull_request_target configurations
- Pin third-party actions to specific SHAs to prevent supply chain attacks
- Detect potential secrets leakage and insecure environment variable usage
- Audit CI resilience issues like missing timeouts or cache poisoning risks
Known Limitations
- Does not change repository settings, branch protection, or GitHub secrets automatically. - Heuristic scanner flags review targets; it does not prove the workflow is secure. - Repository-level GitHub settings must be verified manually or with user-approved GitHub access.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/github-actions-permission-hardener -o /tmp/github-actions-permission-hardener.zip && unzip -o /tmp/github-actions-permission-hardener.zip -d ~/.claude/skills && rm /tmp/github-actions-permission-hardener.zipFree skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
File Scopes
Use read-only inspection first. The bundled scanner is a Python standard-library helper that reads matching files and prints markdown or JSON findings. It does not install dependencies, transmit data, call paid APIs, connect to live services, or modify files. Any write, install, deploy, payment, delete, reset, live-account action, or external network lookup requires explicit user confirmation.
Works with Claude Code, Codex CLI, Cursor, OpenCode/OpenClaw, Gemini CLI, and other agents that load SKILL.md folders. The bundled scanner uses Python 3 standard library only and degrades to manual checklist mode when Python or matching project files are unavailable.