github-actions-permission-scope-audit
v1.0.0Audit GitHub Actions workflow permission scope drift to enforce least-privilege token access.
Sourced from ClawHub,
Authored by Daniel Lummis
Installation
GitHub Actions Permission Scope Audit
Use this skill to detect over-broad GITHUB_TOKEN permissions and scope drift across GitHub Actions workflows.
What this skill does
- Reads workflow YAML files
- Detects explicit broad permission grants (
write-all,contents: write, etc.) - Flags risky patterns like
pull_request_targetworkflows with write permissions - Identifies workflows with no explicit
permissionspolicy - Emits text or JSON for CI triage and policy gates
Inputs
Optional:
- WORKFLOW_GLOB (default: .github/workflows/*.y*ml)
- TOP_N (default: 20)
- OUTPUT_FORMAT (text or json, default: text)
- WARN_SCORE (default: 2)
- CRITICAL_SCORE (default: 5)
- FLAG_MISSING_PERMISSIONS (0 or 1, default: 1)
- FLAG_WRITE_ALL (0 or 1, default: 1)
- FLAG_WRITE_SCOPES (0 or 1, default: 1)
- WORKFLOW_FILE_MATCH / WORKFLOW_FILE_EXCLUDE (regex, optional)
- EVENT_MATCH / EVENT_EXCLUDE (regex, optional)
- PERMISSION_MATCH / PERMISSION_EXCLUDE (regex, optional)
- FAIL_ON_CRITICAL (0 or 1, default: 0)
Run
Text report:
WORKFLOW_GLOB='.github/workflows/*.yml'
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
JSON output + fail gate:
WORKFLOW_GLOB='.github/workflows/*.yml'
OUTPUT_FORMAT=json
FAIL_ON_CRITICAL=1
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
Run against bundled fixtures:
WORKFLOW_GLOB='skills/github-actions-permission-scope-audit/fixtures/*.yml'
bash skills/github-actions-permission-scope-audit/scripts/permission-scope-audit.sh
Output contract
- Exit
0in report mode (default) - Exit
1whenFAIL_ON_CRITICAL=1and one or more workflows are critical - Text mode prints summary + ranked workflows
- JSON mode prints summary + ranked workflows + critical workflows