🧪 Skills

GitHub Actions OIDC Hardening Audit

Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs.

v1.0.0
❤️ 0
⬇️ 88
👁 1
Save📁 Collect
Share

Description

name: github-actions-oidc-hardening-audit description: Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs. version: 1.0.0 metadata: {"openclaw":{"requires":{"bins":["bash","python3"]}}}

GitHub Actions OIDC Hardening Audit

Use this skill to catch risky cloud-auth patterns in workflow YAML before they become identity or secret exposure incidents.

What this skill does

  • Scans workflow YAML files (.github/workflows/*.yml by default)
  • Detects AWS/GCP/Azure auth action usage:
    • aws-actions/configure-aws-credentials
    • google-github-actions/auth
    • azure/login
  • Flags workflows that use cloud auth actions but miss permissions.id-token: write
  • Flags AWS auth usage without role-to-assume
  • Flags likely static cloud credential usage (aws-access-key-id, aws-secret-access-key, cloud credential secrets)
  • Flags floating auth action refs (@main, @master, @v1) unless allow-listed
  • Supports text/json output and CI fail gate

Inputs

Optional:

  • WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • WARN_SCORE (default: 3)
  • CRITICAL_SCORE (default: 7)
  • WORKFLOW_FILE_MATCH / WORKFLOW_FILE_EXCLUDE (regex, optional)
  • ALLOW_REF_REGEX (regex, optional) — allow-listed action refs
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

WORKFLOW_GLOB='.github/workflows/*.yml' \
WARN_SCORE=3 \
CRITICAL_SCORE=7 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

JSON output + fail gate:

WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Run against bundled fixtures:

WORKFLOW_GLOB='skills/github-actions-oidc-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

Output contract

  • Exit 0 in reporting mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical
  • Text mode prints summary + top risky workflows
  • JSON mode prints summary + flagged workflows + critical workflows

Reviews (0)

Sign in to write a review.

No reviews yet. Be the first to review!

Comments (0)

Sign in to join the discussion.

No comments yet. Be the first to share your thoughts!

Compatible Platforms

Links

📂 Source Code

Pricing

Free

Related Configs

🧪 Skill

self-improving-agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

❤️ 2.0k ⬇️ 218k
🧪 Skill

Self Improving Agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. And also 50+ models for image generation, video generation, text-to-speech, spe...

❤️ 2.0k ⬇️ 206k
🧪 Skill

Find Skills

Free

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

❤️ 814 ⬇️ 199k
🧪 Skill

Summarize

Free

--- name: summarize description: Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). homepage: https://summarize.sh metadata: {"clawdbot":{"emoji":"🧾","requires":{"b

❤️ 609 ⬇️ 160k