Can I use this skill to audit my current GitHub repository?

Yes, you can use this skill to scan your existing .github/workflows directory to identify high-risk patterns, missing SHA pins, and overly permissive configurations.

What are the main risks of using third-party actions?

Third-party actions run arbitrary code within your CI/CD environment. A compromised action can exfiltrate repository secrets, steal cloud credentials, or inject malicious backdoors into your source code.

Why should I SHA pin GitHub Actions instead of using version tags?

Tag references (like @v2) can be mutated or moved by the action maintainer. SHA pins are immutable hashes of the specific code version, ensuring that the code you reviewed is exactly what runs in your pipeline.

How does this skill help with permission management?

It provides patterns for minimizing the 'GITHUB_TOKEN' scope and using job-level permissions to ensure that even if an action is compromised, its access to your infrastructure is strictly limited.

Third-Party Action Risk Assessment

Name: Third-Party Action Risk Assessment
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

Security & Testing

Evaluates the security posture of third-party GitHub Actions to prevent supply chain attacks and credential exfiltration in CI/CD pipelines.

About

This skill provides a structured framework for assessing the security of third-party GitHub Actions before they are integrated into your workflows. It guides developers through identifying trust tiers, performing source code reviews, and implementing critical mitigation strategies like immutable SHA pinning, job-level permission scoping, and forking sensitive dependencies. By automating the risk evaluation process, it helps teams protect repository secrets and cloud credentials from potentially malicious or compromised community actions, ensuring a secure and resilient deployment environment.

Key Features

Structured risk assessment framework for GitHub Actions
0 GitHub stars
Enforcement of immutable SHA pinning over mutable tags
Quarterly audit guidelines for third-party dependency usage
Automated guidance for job-level permission scoping
Implementation patterns for isolating high-risk workflows

Use Cases

Auditing existing CI/CD workflows for insecure third-party action usage
Standardizing DevSecOps practices for internal development teams
Evaluating a new community action before adding it to a production repository

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills third-party-action-risk-assessment

For use in Claude.ai and ChatGPT

Download Skill

GitHub