Stats
Actions
Tags
Scans GitHub Actions workflows and CI/CD configs for supply chain attacks including unpinned actions, script injections via expressions, dependency confusion, and secret leaks using PyGithub and YAML parsing. Useful for auditing pipelines.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-supply-chain-attacks-in-ci-cdThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
通过解析 GitHub Actions YAML 文件,检查未固定的依赖、脚本注入向量和密钥泄露,扫描 CI/CD 工作流文件中的供应链风险。
通过解析 GitHub Actions YAML 文件,检查未固定的依赖、脚本注入向量和密钥泄露,扫描 CI/CD 工作流文件中的供应链风险。
import yaml
from pathlib import Path
for wf in Path(".github/workflows").glob("*.yml"):
with open(wf) as f:
workflow = yaml.safe_load(f)
for job_name, job in workflow.get("jobs", {}).items():
for step in job.get("steps", []):
uses = step.get("uses", "")
if uses and "@" in uses and not uses.split("@")[1].startswith("sha"):
print(f"Unpinned action: {uses} in {wf.name}")
关键供应链风险:
${{ github.event }} 表达式的脚本注入# 检查 run 步骤中的脚本注入
for step in job.get("steps", []):
run_cmd = step.get("run", "")
if "${{" in run_cmd and "github.event" in run_cmd:
print(f"Script injection risk: {run_cmd[:80]}")
npx claudepluginhub killvxk/cybersecurity-skills-zhScans GitHub Actions workflows and CI/CD configs for supply chain risks like unpinned actions, script injection, dependency confusion, and secrets exposure using Python YAML parsing. Use for auditing pipeline security.
Scans GitHub Actions workflows and CI/CD pipelines for supply chain attack vectors including unpinned actions, script injection, dependency confusion, and secrets exposure. Uses PyGithub and YAML for automated audit.
Scans GitHub Actions workflows and CI/CD pipelines for supply chain attack vectors including unpinned actions, script injection, dependency confusion, and secrets exposure. Uses PyGithub and YAML for automated audit.