Scans GitHub Actions workflows and CI/CD configs for supply chain attacks including unpinned actions, script injections via expressions, dependency confusion, and secret leaks using PyGithub and YAML parsing. Useful for auditing pipelines.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
通过解析 GitHub Actions YAML 文件,检查未固定的依赖、脚本注入向量和密钥泄露,扫描 CI/CD 工作流文件中的供应链风险。
Scans GitHub Actions workflows and CI/CD configs for supply chain risks like unpinned actions, script injection, dependency confusion, and secrets exposure using Python YAML parsing. Use for auditing pipeline security.
Scans GitHub Actions workflows and CI/CD configs for supply chain risks including unpinned actions, script injection, dependency confusion, and secrets exposure using Python YAML parsing.
Hardens GitHub Actions workflows against supply chain attacks, credential theft, and privilege escalation. Pins actions to SHAs, minimizes GITHUB_TOKEN permissions, prevents script injections via PR inputs, and enforces workflow change reviews.
Share bugs, ideas, or general feedback.
通过解析 GitHub Actions YAML 文件,检查未固定的依赖、脚本注入向量和密钥泄露,扫描 CI/CD 工作流文件中的供应链风险。
import yaml
from pathlib import Path
for wf in Path(".github/workflows").glob("*.yml"):
with open(wf) as f:
workflow = yaml.safe_load(f)
for job_name, job in workflow.get("jobs", {}).items():
for step in job.get("steps", []):
uses = step.get("uses", "")
if uses and "@" in uses and not uses.split("@")[1].startswith("sha"):
print(f"Unpinned action: {uses} in {wf.name}")
关键供应链风险:
${{ github.event }} 表达式的脚本注入# 检查 run 步骤中的脚本注入
for step in job.get("steps", []):
run_cmd = step.get("run", "")
if "${{" in run_cmd and "github.event" in run_cmd:
print(f"Script injection risk: {run_cmd[:80]}")