微信扫一扫GitHub Actions Permission Scope Audit
Use this skill to detect over-broad GITHUB_TOKEN permissions and scope drift across GitHub Actions workflows.
What this skill does
- Reads workflow YAML files
- Detects explicit broad permission grants (
write-all,contents: write, etc.) - Flags risky patterns like
pull_request_targetworkflows with write permissions - Identifies workflows with no explicit
permissionspolicy - Emits text or JSON for CI triage and policy gates
Inputs
Optional:
WORKFLOW_GLOB(default:.github/workflows/*.y*ml)TOP_N(default:20)OUTPUT_FORMAT(textorjson, default:text)WARN_SCORE(default:2)CRITICAL_SCORE(default:5)FLAG_MISSING_PERMISSIONS(0or1, default:1)FLAG_WRITE_ALL(0or1, default:1)FLAG_WRITE_SCOPES(0or1, default:1)WORKFLOW_FILE_MATCH/WORKFLOW_FILE_EXCLUDE(regex, optional)EVENT_MATCH/EVENT_EXCLUDE(regex, optional)PERMISSION_MATCH/PERMISSION_EXCLUDE(regex, optional)FAIL_ON_CRITICAL(0or1, default:0)
Run
Text report:
WORKFLOW_GLOB='.github/workflows/*.yml' \
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
JSON output + fail gate:
WORKFLOW_GLOB='.github/workflows/*.yml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
Run against bundled fixtures:
WORKFLOW_GLOB='skills/github-actions-permission-scope-audit/fixtures/*.yml' \
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
Output contract
- Exit
0in report mode (default) - Exit
1whenFAIL_ON_CRITICAL=1and one or more workflows are critical - Text mode prints summary + ranked workflows
- JSON mode prints summary + ranked workflows + critical workflows