运维生成
- 作者仓库星标 0
- 作者更新于 实时读取
- 作者仓库 skills-registry
- 领域
- 运维部署
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @tomevault-io · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需手动接入
- 是否需要外部 API Key
- 需要 · GitHub
- 兼容的系统
- Linux
- 底层运行要求
- Node.js
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 读取环境变量
- 网络行为
- 允许外网请求
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: ci-cd-ssdf-security
description: GitHub Actions security hardening, CI/CD pipeline integrity, release security, and SSDF alignmen…
category: 运维部署
runtime: Node.js
---
# ci-cd-ssdf-security 输出预览
## PART A: 任务判断
- 适用问题:部署、CI、环境检查、发布或运维排障。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Context / Best used for / Primary references”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于部署、CI、环境检查、发布或运维排障,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Context / Best used for / Primary references”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、读取环境变量、会按任务需要访问外部网络、需要准备 GitHub API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令、读取环境变量;会按任务需要访问外部网络;需要准备 GitHub API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令、读取环境变量。
先用一个小任务确认它会围绕“Context / Best used for / Primary references”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: ci-cd-ssdf-security
description: GitHub Actions security hardening, CI/CD pipeline integrity, release security, and SSDF alignmen…
category: 运维部署
source: tomevault-io/skills-registry
---
# ci-cd-ssdf-security
## 什么时候使用
- 把部署运维方向的常用动作沉淀成 Agent 可调用的技能 适合处理部署、CI、发布、回滚、环境检查和运维排障,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤…
- 面向部署、CI、环境检查、发布或运维排障,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Context / Best used for / Primary references」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令、读取环境变量;会按任务需要访问外部网络;需要准备 GitHub API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "ci-cd-ssdf-security" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Context / Best used for / Primary references
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Node.js | 读取文件、写入/修改文件、执行终端命令、读取环境变量 | 会按任务需要访问外部网络
安全层 -> 需要准备 GitHub API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Context
CI/CD pipelines are high-value targets — they hold secrets, produce deployable artifacts, and run with elevated permissions. A misconfigured GitHub Actions workflow can leak credentials, allow unauthorized deployments, or execute attacker-controlled code with write access to the repository. This skill covers GitHub Actions permission hardening, pinned action SHAs, secret hygiene, OIDC federation, pull_request_target risks, release security, and alignment with NIST SSDF practices — including AI-specific considerations from SP 800-218A.
Best used for
GitHub Actions, Azure DevOps, release workflows, and compliance-sensitive repos. Use this skill when reviewing workflow files, pipeline configurations, deployment processes, and any CI/CD changes that affect build integrity or secret handling.
Primary references
- NIST SP 800-218 Secure Software Development Framework (SSDF): https://csrc.nist.gov/pubs/sp/800/218/final
- NIST SP 800-218A Generative AI and SSDF Practices: https://csrc.nist.gov/pubs/sp/800/218/a/final
- GitHub Actions Security Hardening: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
- Microsoft Learn — Custom CodeQL Queries: https://learn.microsoft.com/en-us/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
Patterns
GITHUB_TOKEN minimum permissions
Without a permissions: block, the token defaults to write-all. Every workflow must declare minimum permissions at the workflow level, granting additional scopes only at the job level where needed.
Least-privilege baseline (workflow level):
permissions: {} # deny all at workflow level; grant per job only
Scope only what each job needs:
jobs:
build:
permissions:
contents: read
release:
permissions:
contents: write
attestations: write
id-token: write
Pinned action SHAs
Tags like @v4 are mutable — a compromised upstream can retag to malicious code. Pin to full commit SHAs with version comments. Use npx pin-github-action .github/workflows/*.yml to automate.
Secrets in workflows
- Always use
${{ secrets.NAME }}— never pass secrets through environment variable indirection. - Never
echoa secret. GitHub masks known secrets, but novel derivations may leak. - Use
::add-mask::for dynamically generated sensitive values. Note: masking only applies to log output after the line where it is set — any value logged before the mask command remains visible. - Never pass secrets to untrusted third-party actions — audit source first.
pull_request_target risk
pull_request_target runs in the base repository context with write permissions and access to secrets — even for fork PRs. If the workflow checks out fork code, an attacker controls what runs with elevated privileges.
If pull_request_target is genuinely required (e.g., labeling), never check out or execute code from the PR head — only read metadata.
OIDC federation vs long-lived credentials
Long-lived cloud credentials stored as secrets do not expire, cannot be scoped to a single run, and are hard to rotate. Prefer OIDC federation (id-token: write) for Azure, AWS, and GCP — tokens are short-lived, audience-scoped, and tied to the specific workflow run.
Build reproducibility
Reproducible builds require deterministic dependency resolution:
- Commit
packages.lock.jsonand restore with--locked-mode. - Pin all tool versions (SDK, runtime, Node.js) in
global.jsonor workflowsetup-*actions. - Avoid floating refs in action inputs (e.g.,
dotnet-version: 8.x— use8.0.401).
Static analysis in CI
Enable CodeQL or GitHub Advanced Security. Requires security-events: write to upload SARIF results to the Security tab. Configure for all project languages; run on every PR and push to the default branch.
Release security
- Environment protection rules: require manual approval for production.
- Required reviewers: at least one reviewer before deployment.
- Artifact attestation:
actions/attest-build-provenancefor signed SLSA provenance (requiresattestations: writeandid-token: writepermissions). - Branch protection: require CI pass and PR reviews before merge to
main; disallow direct pushes.
SSDF alignment
- PO.1 (Define security requirements): CI/CD pipelines should enforce security requirements automatically — static analysis, dependency review, secret scanning.
- PW.4 (Reuse existing, well-secured software): pin action versions, verify third-party actions before adoption, prefer official actions from
actions/*and verified publishers. - RV.1 (Identify vulnerabilities): integrate CodeQL, dependency review, and secret scanning into every PR.
- RV.2 (Assess, prioritize, and remediate): track and triage findings from CI security tools within defined SLAs.
AI-generated workflow considerations (SP 800-218A)
AI tools can generate or modify GitHub Actions workflows. Risks include:
- Suggesting
pull_request_targetwithout understanding the security implications. - Omitting
permissions:blocks (defaulting to overly broad access). - Using mutable action tags instead of pinned SHAs.
- Introducing workflow steps that echo or expose secrets.
- Generating composite actions with unnecessary
GITHUB_TOKENusage.
Review action: treat all AI-generated workflow changes as untrusted input. Review line-by-line against this skill's patterns before merging.
Anti-Patterns
- No
permissions:block in workflow (defaults towrite-all). pull_request_targetwithactions/checkoutreferencinggithub.event.pull_request.head.sha.- Secrets echoed to logs:
echo ${{ secrets.TOKEN }}orenv | grep. - Mutable action tags (
@v4,@main) instead of pinned SHAs. - Long-lived cloud credentials as secrets instead of OIDC federation.
- No branch protection rules on
main— direct pushes allowed. - CodeQL or security scanning not enabled on repositories with deployed services.
- Missing
environment:gates for production deployments. - AI-generated workflow files merged without manual security review.
Examples
BAD — no permissions, mutable tags, secret echo, untrusted action:
on: push
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: echo "Deploying with token ${{ secrets.DEPLOY_TOKEN }}"
- uses: some-org/deploy-action@main
with:
token: ${{ secrets.DEPLOY_TOKEN }}
GOOD — minimal permissions, pinned SHAs, OIDC, environment gate:
permissions:
contents: read
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- run: dotnet publish -c Release
BAD — pull_request_target checking out fork code:
on: pull_request_target
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ github.event.pull_request.head.sha }}
- run: dotnet test # attacker-controlled code runs with write token
GOOD — pull_request for untrusted code:
on: pull_request
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: dotnet test
Review cues
- Every workflow file has an explicit
permissions:block at the workflow or job level. - Permissions follow least privilege — only the scopes the job actually needs.
- All
uses:references are pinned to full commit SHAs with version comments. - No
pull_request_targetworkflows check out or execute PR head code. - Secrets are accessed only via
${{ secrets.NAME }}— never echoed, printed, or passed to untrusted actions. - Cloud authentication uses OIDC federation, not long-lived credential secrets.
- Production deployments use
environment:with protection rules and required reviewers. - CodeQL or equivalent static analysis runs on every PR and pushes to default branch.
-
security-events: writeis granted only to jobs that upload SARIF results. - Branch protection requires CI pass and PR review before merge to
main. - AI-generated workflow changes have been manually reviewed against these patterns.
- Artifact attestation is configured for release artifacts.
Good looks like
- Every workflow declares
permissions: contents: readat minimum, with additional scopes only at job level. - All action references are pinned to immutable SHAs with descriptive version comments.
- Cloud auth uses OIDC federation — no long-lived credential secrets in the repository.
pull_request_targetis not used, or is used only for metadata operations (labeling) without checking out PR code.- Secrets are never logged;
::add-mask::is used for dynamically generated sensitive values. - CodeQL runs on every PR; SARIF results are uploaded to GitHub Security tab.
- Production deployments require environment approval gates and reviewer sign-off.
- Build artifacts have signed provenance attestations.
- Branch protection is enforced: CI must pass, PRs required, no direct pushes to
main. - AI-generated workflow modifications are flagged for manual review in the PR process.
Common findings / likely remediations
| Finding | Severity | Likely remediation |
|---|---|---|
No permissions: block (defaults to write-all) |
High | Add explicit permissions: with minimum required scopes |
pull_request_target with checkout of PR head |
Critical | Switch to pull_request trigger or remove checkout of untrusted ref |
| Secrets echoed to workflow logs | Critical | Remove echo statements; use ::add-mask:: for dynamic values |
Mutable action tags (@v4, @main) |
Medium | Pin to full SHA; add version comment; use pin-github-action tooling |
| Long-lived cloud credentials as secrets | High | Migrate to OIDC federation with id-token: write permission |
| No branch protection on default branch | High | Enable required PR reviews, required CI checks, disallow direct push |
| CodeQL / static analysis not configured | Medium | Add CodeQL workflow with security-events: write; configure for project languages |
| No environment protection for production | High | Create production environment with required reviewers and wait timer |
| AI-generated workflow merged without review | Medium | Establish team policy: all workflow changes require manual security review |
| No artifact attestation on release builds | Medium | Add actions/attest-build-provenance to release workflow |
Source: betaio/LLMTestProject — distributed by TomeVault.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核