Menu
Guide for reviewing GitHub Actions for security vulnerabilities.
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Basé sur la classification professionnelle SOC
Provides guidance on securing the Nuget supply chain, including best practices for verifying package integrity, understanding dependencies, and mitigating risks associated with third-party packages. Use this skill when you want to ensure the security and reliability of the Nuget packages you use in your projects.
Describes how to get usage instructions adding or implementing a Nuget package in a project, including viewing best practices and examples from the package's README file. Use this skill when you need to understand how to use a Nuget package effectively in your projects.
Provides guidance on securing the Nuget supply chain, including best practices for verifying package integrity, understanding dependencies, and mitigating risks associated with third-party packages. Use this skill when you want to ensure the security and reliability of the Nuget packages you use in your projects.
Resolves GitHub Action tags/versions (e.g., @v4) to their full 40-character commit SHAs for security pinning.
Create, update, and manage GitHub issues using MCP tools. Use this skill when users want to create bug reports, feature requests, or task issues, update existing issues, add labels/assignees/milestones, or manage issue workflows. Triggers on requests like "create an issue", "file a bug", "request a feature", "update issue X", or any GitHub issue management task.
Manage NuGet packages in .NET projects/solutions. Use this skill when adding, removing, or updating NuGet package versions. It enforces using `dotnet` CLI for package management and provides strict procedures for direct file edits only when updating versions.
| name | Workflow Security Review |
| description | Guide for reviewing GitHub Actions for security vulnerabilities. |
| allowed-tools | mcp_github-mcp_get_ref, mcp_github-mcp_list_tags, mcp_github-mcp_get_repository |
This skill analyzes GitHub Actions workflows for security vulnerabilities and misconfigurations that could lead to code injection, privilege escalation, or credential exposure.
| Tool | Purpose |
|---|---|
mcp_github-mcp_get_ref | Retrieves a Git reference, useful for verifying action SHAs |
mcp_github-mcp_list_tags | Lists all tags for a given repository, useful for identifying action versions |
mcp_github-mcp_get_repository | Fetches repository details, useful for context on workflows |
Use this skill when you need to:
Locate Workflow Files
.github/workflows/ directory for all *.yml and *.yaml filesReview Trigger Events
pull_request_target, workflow_run, or issue_commentInspect Action Pinning
actions/checkout@a12b3c4... ✅ vs actions/checkout@v4 ⚠️Analyze Script Injection Risks
${{ }} expressions in run: blocksgithub.event.issue.title, github.event.comment.body, github.event.pull_request.title, github.head_refReview Permissions
permissions: are set at job or workflow levelcontents: read as default)Check Secret Handling
For detailed vulnerability patterns, secure code examples, best practices, and remediation guidance, see reference.md.