Can I use this skill to audit my current GitHub repository?

Yes, you can use this skill to scan your existing .github/workflows directory to identify high-risk patterns, missing SHA pins, and overly permissive configurations.

What are the main risks of using third-party actions?

Third-party actions run arbitrary code within your CI/CD environment. A compromised action can exfiltrate repository secrets, steal cloud credentials, or inject malicious backdoors into your source code.

Why should I SHA pin GitHub Actions instead of using version tags?

Tag references (like @v2) can be mutated or moved by the action maintainer. SHA pins are immutable hashes of the specific code version, ensuring that the code you reviewed is exactly what runs in your pipeline.

How does this skill help with permission management?

It provides patterns for minimizing the 'GITHUB_TOKEN' scope and using job-level permissions to ensure that even if an action is compromised, its access to your infrastructure is strictly limited.

Third-Party Action Risk Assessment

Name: Third-Party Action Risk Assessment
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

Security & Testing

Evaluates the security posture of third-party GitHub Actions to prevent supply chain attacks and credential exfiltration in CI/CD pipelines.

This skill provides a structured framework for assessing the security of third-party GitHub Actions before they are integrated into your workflows. It guides developers through identifying trust tiers, performing source code reviews, and implementing critical mitigation strategies like immutable SHA pinning, job-level permission scoping, and forking sensitive dependencies. By automating the risk evaluation process, it helps teams protect repository secrets and cloud credentials from potentially malicious or compromised community actions, ensuring a secure and resilient deployment environment.

Key Features

01Structured risk assessment framework for GitHub Actions

020 GitHub stars

03Enforcement of immutable SHA pinning over mutable tags

04Quarterly audit guidelines for third-party dependency usage

05Automated guidance for job-level permission scoping

06Implementation patterns for isolating high-risk workflows

Use Cases

01Auditing existing CI/CD workflows for insecure third-party action usage

02Standardizing DevSecOps practices for internal development teams

03Evaluating a new community action before adding it to a production repository

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills third-party-action-risk-assessment

For use in Claude.ai and ChatGPT

Download Skill

Key Features

01Structured risk assessment framework for GitHub Actions

020 GitHub stars

03Enforcement of immutable SHA pinning over mutable tags

04Quarterly audit guidelines for third-party dependency usage

05Automated guidance for job-level permission scoping

06Implementation patterns for isolating high-risk workflows

Use Cases

01Auditing existing CI/CD workflows for insecure third-party action usage

02Standardizing DevSecOps practices for internal development teams

03Evaluating a new community action before adding it to a production repository

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills third-party-action-risk-assessment

For use in Claude.ai and ChatGPT

Download Skill