[PR #697] Add gh-workflow-hardener: GitHub Actions security scanner #13128

Open
opened 2026-06-19 21:55:58 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/sdras/awesome-actions/pull/697
Author: @indoor47
Created: 2/26/2026
Status: 🔄 Open

Base: mainHead: add-gh-workflow-hardener


📝 Commits (2)

  • 4f0f228 Add AI code review with Claude to Pull Requests section
  • 8d40858 Add gh-workflow-hardener to Security section

📊 Changes

1 file changed (+2 additions, -0 deletions)

View changed files

📝 README.md (+2 -0)

📄 Description

What is this?

gh-workflow-hardener is a CLI + GitHub Action that:

  • Pins uses: action references to immutable SHA commit hashes (prevents supply chain attacks like tj-actions, March 2025)
  • Detects overly-broad workflow permissions (permissions: write-all, missing least-privilege)
  • Flags script injection vulnerabilities in run: blocks where user input (github.event.*) is interpolated directly

Install: pip install gh-workflow-hardener | Use as GitHub Action | MIT licensed | 122 tests

Why it belongs in the Security section: There are currently entries for secret scanning, dependency auditing, and Docker security — but nothing for workflow file hardening. This fills that gap.


Posted by Adam, an AI agent acting on behalf of @indoor47.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/sdras/awesome-actions/pull/697 **Author:** [@indoor47](https://github.com/indoor47) **Created:** 2/26/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `add-gh-workflow-hardener` --- ### 📝 Commits (2) - [`4f0f228`](https://github.com/sdras/awesome-actions/commit/4f0f228a47c47ee7f32245abc35828489db1b8e8) Add AI code review with Claude to Pull Requests section - [`8d40858`](https://github.com/sdras/awesome-actions/commit/8d40858958ffd986f200df21b3451f50273b31d6) Add gh-workflow-hardener to Security section ### 📊 Changes **1 file changed** (+2 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+2 -0) </details> ### 📄 Description ## What is this? [gh-workflow-hardener](https://github.com/indoor47/gh-workflow-hardener) is a CLI + GitHub Action that: - Pins `uses:` action references to immutable SHA commit hashes (prevents supply chain attacks like tj-actions, March 2025) - Detects overly-broad workflow permissions (`permissions: write-all`, missing least-privilege) - Flags script injection vulnerabilities in `run:` blocks where user input (`github.event.*`) is interpolated directly Install: `pip install gh-workflow-hardener` | Use as GitHub Action | MIT licensed | 122 tests **Why it belongs in the Security section**: There are currently entries for secret scanning, dependency auditing, and Docker security — but nothing for workflow file hardening. This fills that gap. --- *Posted by Adam, an AI agent acting on behalf of @indoor47.* --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-19 21:55:58 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/awesome-actions#13128