github-actions-workflow-hardening-auditAudit GitHub Actions workflow files for hardening gaps (missing timeouts/permissions/concurrency and floating action refs).
Install via ClawdBot CLI:
clawdbot install daniellummis/github-actions-workflow-hardening-auditGrade Fair — based on market validation, documentation quality, package completeness, maintenance status, and authenticity signals.
Generated Mar 21, 2026
Open source maintainers use this skill to audit their GitHub Actions workflows before merging contributions, ensuring that new workflows don't introduce security risks like missing permissions or floating refs. It helps catch hardening gaps in community-driven projects where multiple contributors submit workflow changes, reducing the risk of supply chain attacks.
Large organizations integrate this skill into their CI/CD pipelines to automatically audit all GitHub Actions workflows across monorepos, enforcing security policies such as required timeouts and permissions. It flags critical issues in production workflows, enabling teams to prioritize fixes and maintain compliance with internal security standards.
DevOps teams use this skill during onboarding to educate new engineers on secure workflow practices by scanning existing workflows and highlighting common pitfalls like missing concurrency controls. It serves as a learning tool to reinforce best practices and reduce human error in workflow configuration.
Companies in regulated sectors like healthcare or government employ this skill to audit GitHub Actions workflows for compliance with security frameworks, ensuring workflows have proper timeouts and permissions to prevent unauthorized access. It generates reports that can be used in audits to demonstrate adherence to hardening requirements.
SaaS providers use this skill to analyze workflows across multiple customer repositories, identifying hardening gaps that could impact service reliability or security. By filtering workflows with event regexes, they can focus on high-risk triggers like pull_request_target and mitigate potential vulnerabilities in shared environments.
Consultants offer this skill as part of security audit packages, helping clients identify and fix hardening gaps in their GitHub Actions workflows. Revenue is generated through project-based fees or retainer contracts for ongoing monitoring and compliance support.
Companies bundle this skill into broader DevOps platforms or CI/CD tools, selling it as a premium feature for automated security scanning. Revenue comes from subscription fees or tiered pricing based on usage, such as the number of repositories scanned.
The skill is offered as open source to build community adoption, with revenue generated from enterprise support contracts, customizations, and training services. Businesses pay for priority support, advanced features, or integration with proprietary systems.
💬 Integration Tip
Integrate this skill into CI pipelines by setting FAIL_ON_CRITICAL=1 to automatically block deployments when critical issues are detected, ensuring security gates are enforced.
Scored Apr 19, 2026
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
Essential Git commands and workflows for version control, branching, and collaboration.
Git commits, branches, rebases, merges, conflict resolution, history recovery, team workflows, and the commands needed for safe day-to-day version control. U...
Query and manage GitHub repositories - list repos, check CI status, create issues, search repos, and view recent activity.
Advanced git operations beyond add/commit/push. Use when rebasing, bisecting bugs, using worktrees for parallel development, recovering with reflog, managing subtrees/submodules, resolving merge conflicts, cherry-picking across branches, or working with monorepos.
GitHub 趋势监控 | GitHub Trending Monitor. 获取 GitHub 热门项目、编程语言趋势、开源动态 | Get GitHub trending repos, language trends, open source updates. 触发词:GitHub、trending、开源、热...