detecting-supply-chain-attacks-in-ci-cd
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-supply-chain-attacks-in-ci-cdAudit CI/CD pipelines for supply chain attack vectors and secrets.
- Identifies unpinned actions, script injection, and exposed secrets.
- Leverages PyGithub and YAML parsing for automated workflow analysis.
- Flags specific risks like dependency confusion and injection vectors.
- Outputs structured audit findings for SOC analysts and security teams.
SKILL.md
.github/skills/detecting-supply-chain-attacks-in-ci-cdView on GitHub ↗
---
name: detecting-supply-chain-attacks-in-ci-cd
description: >
Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain
attack vectors including unpinned actions, script injection via expressions, dependency
confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit.
Use when hardening CI/CD pipelines or investigating compromised build systems.
domain: cybersecurity
subdomain: security-operations
tags: [detecting, supply, chain, attacks]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Detecting Supply Chain Attacks in CI/CD
## When to Use
- When investigating security incidents that require detecting supply chain attacks in ci cd
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
Scan CI/CD workflow files for supply chain risks by parsing GitHub Actions YAML,
checking for unpinned dependencies, script injection vectors, and secrets exposure.
```python
import yaml
from pathlib import Path
for wf in Path(".github/workflows").glob("*.yml"):
with open(wf) as f:
workflow = yaml.safe_load(f)
for job_name, job in workflow.get("jobs", {}).items():
for step in job.get("steps", []):
uses = step.get("uses", "")
if uses and "@" in uses and not uses.split("@")[1].startswith("sha"):
print(f"Unpinned action: {uses} in {wf.name}")
```
Key supply chain risks:
1. Unpinned GitHub Actions (using @main instead of SHA)
2. Script injection via ${{ github.event }} expressions
3. Overly permissive GITHUB_TOKEN permissions
4. Third-party actions with write access to repo
5. Dependency confusion via public/private package name collision
## Examples
```python
# Check for script injection in run steps
for step in job.get("steps", []):
run_cmd = step.get("run", "")
if "${{" in run_cmd and "github.event" in run_cmd:
print(f"Script injection risk: {run_cmd[:80]}")
```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.