security analyst security skill risk: medium

GitHub Actions Supply Chain Risk Scanner

Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned dependencies, script injection, and secrets exposure.

Policy sensitive
Human review

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: detecting-supply-chain-attacks-in-ci-cd
description: "Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned"
---
# Detecting Supply Chain Attacks in CI/CD


## When to Use

- When investigating security incidents that require detecting supply chain attacks in ci cd
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

Scan CI/CD workflow files for supply chain risks by parsing GitHub Actions YAML,
checking for unpinned dependencies, script injection vectors, and secrets exposure.

```python
import yaml
from pathlib import Path

for wf in Path(".github/workflows").glob("*.yml"):
    with open(wf) as f:
        workflow = yaml.safe_load(f)
    for job_name, job in workflow.get("jobs", {}).items():
        for step in job.get("steps", []):
            uses = step.get("uses", "")
            if uses and "@" in uses and not uses.split("@")[1].startswith("sha"):
                print(f"Unpinned action: {uses} in {wf.name}")
```

Key supply chain risks:
1. Unpinned GitHub Actions (using @main instead of SHA)
2. Script injection via ${{ github.event }} expressions
3. Overly permissive GITHUB_TOKEN permissions
4. Third-party actions with write access to repo
5. Dependency confusion via public/private package name collision

## Examples

```python
# Check for script injection in run steps
for step in job.get("steps", []):
    run_cmd = step.get("run", "")
    if "${{" in run_cmd and "github.event" in run_cmd:
        print(f"Script injection risk: {run_cmd[:80]}")
```

REQUIRED CONTEXT

GitHub Actions YAML workflow files

EXPECTED OUTPUT

Format

plain_text

Constraints

report detected risks with file and step references

EXAMPLES

Includes two Python code examples demonstrating detection of unpinned actions and script injection risks.

CAVEATS

Missing context

Exact output format (e.g., JSON, table, severity levels)
Scope limitations (GitHub Actions only or other CI systems)

Ambiguities

Description sentence is truncated: "including unpinned"
Does not specify desired output format or report structure

QUALITY

OVERALL: 0.60
CLARITY: 0.72
SPECIFICITY: 0.68
REUSABILITY: 0.55
COMPLETENESS: 0.48

IMPROVEMENT SUGGESTIONS

Complete the truncated description sentence in the YAML frontmatter.
Add an explicit 'Output Format' section defining the expected report structure.
Replace the incomplete code example with a single, runnable function or class.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.