Workflow Permissions Audit
workflow_permissions_auditAudit GitHub Actions workflow permissions to identify least-privilege gaps, including missing declarations, write-all, and risky pull_request_target write access.
Instructions
Scan .github/workflows/*.yml for permissions declarations (top-level and per-job) and flag least-privilege gaps.
Required token scope: repo (or public_repo for public-only repos) with read access to repository contents.
Args:
owner, repo: Repository coordinates.
ref: Optional. Branch, tag, or SHA to read workflow files from. Falls back to the repository's default branch.
Flags:
No
permissionsdeclared anywhere in the file (workflow or job level) -- relies on the repo/org default token scope instead of an explicit declaration.permissions: write-all(top-level or per-job) -- grants write access to every scope.Any scope granted
writeon a workflow triggered bypull_request_target-- a known injection/exfiltration risk since that trigger runs with the base repo's token against untrusted PR content.
Returns: per-file findings by severity and a least_privilege/needs_review/over_permissioned conclusion.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ref | No | Branch, tag, or SHA to read workflow files from. Falls back to the repository's default branch. | |
| repo | No | GitHub repo. Falls back to GITHUB_REPO. | |
| owner | No | GitHub owner. Falls back to GITHUB_OWNER. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ref | Yes | ||
| repo | Yes | ||
| errors | Yes | ||
| findings | Yes | ||
| conclusion | Yes | ||
| workflowsScanned | Yes |