메뉴
Security best practices for GitHub Actions workflows, supply chain security, and secure CI/CD pipelines
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Master GitHub Agentic Workflows authoring - markdown syntax, natural language instructions, YAML frontmatter, compilation, and workflow patterns
Comprehensive expertise in GitHub Agentic Workflows (v0.68.1) — AI-powered repository automation with five-layer security, safe outputs, MCP tools, and Continuous AI patterns
Comprehensive guide for MCP (Model Context Protocol) server setup, transport protocols, configuration validation, lifecycle management, tool discovery, and error handling patterns
Comprehensive Hack23 threat modeling process using STRIDE, MITRE ATT&CK, attack trees, and quantitative risk assessment per ISMS Threat_Modeling.md policy
Fiscal policy, budget analysis, economic forecasting, monetary policy, trade policy for political journalists
Comprehensive guide to integrating agentic automation with GitHub Actions CI/CD pipelines, including workflow triggers, environment configuration, secrets management, matrix strategies, and deployment patterns for production-ready autonomous systems.
| name | ci-cd-security |
| description | Security best practices for GitHub Actions workflows, supply chain security, and secure CI/CD pipelines |
| license | Apache-2.0 |
Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.
Implement security-hardened CI/CD pipelines using GitHub Actions with least privilege, supply chain security, and comprehensive monitoring.
Always grant minimum necessary permissions:
permissions:
contents: read # Read repo content
pull-requests: write # Only if managing PRs
issues: write # Only if managing issues
# Deny everything else by default
Never use tags - always pin to commit SHA:
# ❌ Bad: Using tag (can be moved)
- uses: actions/checkout@v4
# ✅ Good: Pinned to SHA (immutable)
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
Use step-security/harden-runner on every job:
- name: Harden Runner
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9
with:
egress-policy: audit # Log all network calls
# ✅ Use GitHub Secrets
- env:
TOKEN: \${{ secrets.GITHUB_TOKEN }}
run: |
# Never echo secrets
curl -H "Authorization: Bearer \$TOKEN" ...
# ❌ Never hardcode
TOKEN="ghp_hardcoded_token" # NEVER DO THIS
- name: Dependency Review
uses: actions/dependency-review-action@SHA
- name: CodeQL Scanning
uses: github/codeql-action/analyze@SHA
name: Secure Workflow
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9
with:
egress-policy: audit
allowed-endpoints: >
github.com:443
api.github.com:443
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Setup Node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: '26'
cache: 'npm'
- name: Install Dependencies
run: npm ci
- name: Run Security Checks
run: |
npm audit
npm run lint
npm test
- name: Run Dependency Review
uses: actions/dependency-review-action@SHA
with:
fail-on-severity: moderate
- name: Initialize CodeQL
uses: github/codeql-action/init@SHA
with:
languages: javascript, python
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@SHA
Enable in repository settings: