메뉴
Guide for reviewing GitHub Actions for security vulnerabilities.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Provides guidance on securing the Nuget supply chain, including best practices for verifying package integrity, understanding dependencies, and mitigating risks associated with third-party packages. Use this skill when you want to ensure the security and reliability of the Nuget packages you use in your projects.
Describes how to get usage instructions adding or implementing a Nuget package in a project, including viewing best practices and examples from the package's README file. Use this skill when you need to understand how to use a Nuget package effectively in your projects.
Provides guidance on securing the Nuget supply chain, including best practices for verifying package integrity, understanding dependencies, and mitigating risks associated with third-party packages. Use this skill when you want to ensure the security and reliability of the Nuget packages you use in your projects.
Resolves GitHub Action tags/versions (e.g., @v4) to their full 40-character commit SHAs for security pinning.
Create, update, and manage GitHub issues using MCP tools. Use this skill when users want to create bug reports, feature requests, or task issues, update existing issues, add labels/assignees/milestones, or manage issue workflows. Triggers on requests like "create an issue", "file a bug", "request a feature", "update issue X", or any GitHub issue management task.
Manage NuGet packages in .NET projects/solutions. Use this skill when adding, removing, or updating NuGet package versions. It enforces using `dotnet` CLI for package management and provides strict procedures for direct file edits only when updating versions.
| name | Workflow Security Review |
| description | Guide for reviewing GitHub Actions for security vulnerabilities. |
| allowed-tools | mcp_github-mcp_get_ref, mcp_github-mcp_list_tags, mcp_github-mcp_get_repository |
This skill analyzes GitHub Actions workflows for security vulnerabilities and misconfigurations that could lead to code injection, privilege escalation, or credential exposure.
| Tool | Purpose |
|---|---|
mcp_github-mcp_get_ref | Retrieves a Git reference, useful for verifying action SHAs |
mcp_github-mcp_list_tags | Lists all tags for a given repository, useful for identifying action versions |
mcp_github-mcp_get_repository | Fetches repository details, useful for context on workflows |
Use this skill when you need to:
Locate Workflow Files
.github/workflows/ directory for all *.yml and *.yaml filesReview Trigger Events
pull_request_target, workflow_run, or issue_commentInspect Action Pinning
actions/checkout@a12b3c4... ✅ vs actions/checkout@v4 ⚠️Analyze Script Injection Risks
${{ }} expressions in run: blocksgithub.event.issue.title, github.event.comment.body, github.event.pull_request.title, github.head_refReview Permissions
permissions: are set at job or workflow levelcontents: read as default)Check Secret Handling
For detailed vulnerability patterns, secure code examples, best practices, and remediation guidance, see reference.md.