Execute qualquer Skill no Manus
com um clique

Execute qualquer Skill no Manus com um clique

Começar

$pwd:

ci-cd-security

Name: Ci Cd Security
Author: Hack23

// Security best practices for GitHub Actions workflows, supply chain security, and secure CI/CD pipelines

Executar no Manus

$ git log --oneline --stat

stars:8

forks:2

updated:5 de maio de 2026 às 19:44

SKILL.md

readonly

name	ci-cd-security
description	Security best practices for GitHub Actions workflows, supply chain security, and secure CI/CD pipelines
license	Apache-2.0

CI/CD Security Skill

🔴 AI FIRST Quality Principle

Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.

Purpose

Implement security-hardened CI/CD pipelines using GitHub Actions with least privilege, supply chain security, and comprehensive monitoring.

Core Principles

1. Least Privilege Permissions

Always grant minimum necessary permissions:

permissions:
  contents: read       # Read repo content
  pull-requests: write # Only if managing PRs
  issues: write        # Only if managing issues
  # Deny everything else by default

2. Pin Actions to SHA

Never use tags - always pin to commit SHA:

# ❌ Bad: Using tag (can be moved)
- uses: actions/checkout@v4

# ✅ Good: Pinned to SHA (immutable)
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

3. Harden Runner

Use step-security/harden-runner on every job:

- name: Harden Runner
  uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9
  with:
    egress-policy: audit  # Log all network calls

4. Secrets Management

# ✅ Use GitHub Secrets
- env:
    TOKEN: \${{ secrets.GITHUB_TOKEN }}
  run: |
    # Never echo secrets
    curl -H "Authorization: Bearer \$TOKEN" ...

# ❌ Never hardcode
TOKEN="ghp_hardcoded_token"  # NEVER DO THIS

5. Supply Chain Security

- name: Dependency Review
  uses: actions/dependency-review-action@SHA
  
- name: CodeQL Scanning
  uses: github/codeql-action/analyze@SHA

Security-Hardened Workflow Template

name: Secure Workflow

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9
        with:
          egress-policy: audit
          allowed-endpoints: >
            github.com:443
            api.github.com:443
            
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        
      - name: Setup Node
        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: '26'
          cache: 'npm'
          
      - name: Install Dependencies
        run: npm ci
        
      - name: Run Security Checks
        run: |
          npm audit
          npm run lint
          npm test

Supply Chain Security

Dependency Scanning

- name: Run Dependency Review
  uses: actions/dependency-review-action@SHA
  with:
    fail-on-severity: moderate

Code Scanning

- name: Initialize CodeQL
  uses: github/codeql-action/init@SHA
  with:
    languages: javascript, python
    
- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@SHA

Secret Scanning

Enable in repository settings:

GitHub secret scanning
Push protection
Custom patterns if needed

Remember

Least Privilege: Grant minimal permissions
Pin to SHA: Immutable action versions
Harden Runner: Audit all network egress
Scan Everything: Dependencies, code, secrets
Never Trust: Validate all inputs
Monitor Continuously: Review audit logs

References

related-skills.json

mesmo repositório

gh-aw-workflow-authoring.md

from "Hack23/riksdagsmonitor"

Master GitHub Agentic Workflows authoring - markdown syntax, natural language instructions, YAML frontmatter, compilation, and workflow patterns

2026-05-318

github-agentic-workflows.md

from "Hack23/riksdagsmonitor"

Comprehensive expertise in GitHub Agentic Workflows (v0.68.1) — AI-powered repository automation with five-layer security, safe outputs, MCP tools, and Continuous AI patterns

2026-05-318

github-agentic-workflows-mcp-configuration.md

from "Hack23/riksdagsmonitor"

Comprehensive guide for MCP (Model Context Protocol) server setup, transport protocols, configuration validation, lifecycle management, tool discovery, and error handling patterns

2026-05-318

agentic-workflows.md

from "Hack23/riksdagsmonitor"

Route gh-aw workflow create/debug/upgrade requests to the right prompts.

2026-05-308

threat-modeling.md

from "Hack23/riksdagsmonitor"

Comprehensive Hack23 threat modeling process using STRIDE, MITRE ATT&CK, attack trees, and quantitative risk assessment per ISMS Threat_Modeling.md policy

2026-05-288

economic-policy-analysis.md

from "Hack23/riksdagsmonitor"

Fiscal policy, budget analysis, economic forecasting, monetary policy, trade policy for political journalists

2026-05-118

package.json

"author": "Hack23"

"repository": "Hack23/riksdagsmonitor"

Abrir repositório GitHub Ver repositórios do creator

$ install --global

$ download --local

Executar no Manus

$ useful --forSOC

Analistas de segurança da informaçãoInformática e Matemática15-1212L4

name	ci-cd-security
description	Security best practices for GitHub Actions workflows, supply chain security, and secure CI/CD pipelines
license	Apache-2.0

CI/CD Security Skill

🔴 AI FIRST Quality Principle

Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.

Purpose

Implement security-hardened CI/CD pipelines using GitHub Actions with least privilege, supply chain security, and comprehensive monitoring.

Core Principles

1. Least Privilege Permissions

Always grant minimum necessary permissions:

permissions:
  contents: read       # Read repo content
  pull-requests: write # Only if managing PRs
  issues: write        # Only if managing issues
  # Deny everything else by default

2. Pin Actions to SHA

Never use tags - always pin to commit SHA:

# ❌ Bad: Using tag (can be moved)
- uses: actions/checkout@v4

# ✅ Good: Pinned to SHA (immutable)
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

3. Harden Runner

Use step-security/harden-runner on every job:

- name: Harden Runner
  uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9
  with:
    egress-policy: audit  # Log all network calls

4. Secrets Management

# ✅ Use GitHub Secrets
- env:
    TOKEN: \${{ secrets.GITHUB_TOKEN }}
  run: |
    # Never echo secrets
    curl -H "Authorization: Bearer \$TOKEN" ...

# ❌ Never hardcode
TOKEN="ghp_hardcoded_token"  # NEVER DO THIS

5. Supply Chain Security

- name: Dependency Review
  uses: actions/dependency-review-action@SHA
  
- name: CodeQL Scanning
  uses: github/codeql-action/analyze@SHA

Security-Hardened Workflow Template

name: Secure Workflow

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9
        with:
          egress-policy: audit
          allowed-endpoints: >
            github.com:443
            api.github.com:443
            
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        
      - name: Setup Node
        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: '26'
          cache: 'npm'
          
      - name: Install Dependencies
        run: npm ci
        
      - name: Run Security Checks
        run: |
          npm audit
          npm run lint
          npm test

Supply Chain Security

Dependency Scanning

- name: Run Dependency Review
  uses: actions/dependency-review-action@SHA
  with:
    fail-on-severity: moderate

Code Scanning

- name: Initialize CodeQL
  uses: github/codeql-action/init@SHA
  with:
    languages: javascript, python
    
- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@SHA

Secret Scanning

Enable in repository settings:

GitHub secret scanning
Push protection
Custom patterns if needed

Remember

Least Privilege: Grant minimal permissions
Pin to SHA: Immutable action versions
Harden Runner: Audit all network egress
Scan Everything: Dependencies, code, secrets
Never Trust: Validate all inputs
Monitor Continuously: Review audit logs

ci-cd-security

CI/CD Security Skill

🔴 AI FIRST Quality Principle

Purpose

Core Principles

1. Least Privilege Permissions

2. Pin Actions to SHA

3. Harden Runner

4. Secrets Management

5. Supply Chain Security

Security-Hardened Workflow Template

Supply Chain Security

Dependency Scanning

Code Scanning

Secret Scanning

Remember

References

Mais deste repositório

Mais deste repositório

CI/CD Security Skill

🔴 AI FIRST Quality Principle

Purpose

Core Principles

1. Least Privilege Permissions

2. Pin Actions to SHA

3. Harden Runner

4. Secrets Management

5. Supply Chain Security

Security-Hardened Workflow Template

Supply Chain Security

Dependency Scanning

Code Scanning

Secret Scanning

Remember

References