ci: add GitHub Actions security audit script#3600
Open
zackverham wants to merge 5 commits intomainfrom
Open
Conversation
Adds a Python script to audit GitHub Actions workflows for common security best practices. The script checks for: 1. Explicit permissions declarations 2. No 'secrets: inherit' usage 3. Fork PR protection for jobs using secrets 4. Tag ancestry verification on release workflows 5. Workflow dispatch protection on publish/release workflows 6. Overly permissive permissions 7. Pinned action versions (no @main/@master) 8. Dangerous patterns (untrusted input, pull_request_target) Based on security hardening work applied to this repository. Run with: python scripts/audit_gha_security.py Run tests: cd scripts && python -m unittest test_audit_gha_security Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- `just audit-gha-security` - Run the security audit - `just test-scripts` - Now also runs audit script tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The script now supports: - `--format json` for programmatic/machine-readable output - `--github-actions` for explicit GHA mode (also auto-detected via GITHUB_ACTIONS env) - GitHub Actions workflow commands (::error::, ::warning::, ::notice::, ::group::) - File and line annotations for errors/warnings - Step summary output (GITHUB_STEP_SUMMARY) - Output variables (GITHUB_OUTPUT): error_count, warning_count, has_errors, has_warnings - `--no-color` flag for CI environments - `--workflows-dir` to specify custom path Tests updated to cover new functionality (34 tests total). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds a manual workflow_dispatch trigger to run the GHA security audit script on demand. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed unnecessary comment about security hardening.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This is the result of working through a suggestion proposed by @dotNomad to capture some of the improvements we made to tidy up our github actions. Those best practices are things we want to continue to maintain moving forward, so this script helps us to mitigate drift over time. It also is something that we could probably apply to other repositories, if we can figure out the right set of validations here.
I don't have any ideas on how often we want to run this, or where the results should live, or anything like that. But it does capture the work in a set of repeatable checks that we can kick off via a github action manually, which is nice.
Adds a Python script to audit GitHub Actions workflows for common security best practices. This script captures the security hardening improvements that have been applied to this repository, making them repeatable and auditable.
Security Checks
The script checks for 8 categories of security issues:
write-allor unnecessarycontents: write@mainor@masterfor external actionspull_request_targetUsage
Current Results
Running against this repo's workflows shows 3 warnings (no errors):
nightly-prerelease.yaml: Missing tag ancestry verificationnightly-prerelease.yaml: Hasworkflow_dispatchwithout environment protectione2e.yaml: Usesposit-dev/with-connect@main(unpinned action)Test plan
🤖 Generated with Claude Code