[Skill] Github security audit#2098
Conversation
PR SummaryLow Risk Overview The skill prompt walks through optional org-wide repo discovery via Metadata wires RequiredTools to the three GitHub MCP tools above, plus tags for github, supply-chain, ci-cd, and security-audit. Reviewed by Cursor Bugbot for commit 32036ab. Bugbot is set up for automated code reviews on this repo. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 32036ab. Configure here.
|
|
||
| If the user has **not** specified a particular `owner/repo`, use **`git_hub_search_repositories`** to enumerate all public repositories for the target organization or user before auditing. | ||
|
|
||
| 1. Call `git_hub_search_repositories` with a query such as `org:<org-name> is:public` (or `user:<username> is:public`) to list all public repositories. |
There was a problem hiding this comment.
Step zero lacks org identity
Medium Severity
Step 0 requires org:<org-name> or user:<username> in git_hub_search_repositories but never says how to obtain that target when the user did not name a repository or organization, so discovery can stall or guess wrong.
Reviewed by Cursor Bugbot for commit 32036ab. Configure here.
|
|
||
| 1. Call `git_hub_search_repositories` with a query such as `org:<org-name> is:public` (or `user:<username> is:public`) to list all public repositories. | ||
| 2. Collect the full list of `owner/repo` identifiers from the results. | ||
| 3. For each repository discovered, proceed with Steps 1–4 below to audit its `.github/workflows/` directory. |
There was a problem hiding this comment.
Multi-repo report timing unclear
Medium Severity
Step 0 loops Steps 1–4 per discovered repo but never states that Step 5 runs once after all repos. Step 5’s “Total repositories scanned” implies one combined report, so agents may emit partial reports or wrong totals.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 32036ab. Configure here.
|
|
||
| Alternatively, use **`git_hub_search_code`** to locate workflow files across a repository or organization: | ||
| - Query example: `path:.github/workflows extension:yml` scoped to the target repo. | ||
| - This is useful when the repository structure is unknown or when scanning multiple repositories. |
There was a problem hiding this comment.
Search tip omits yaml extension
Low Severity
Step 1’s git_hub_search_code example uses extension:yml only, while Step 1 also expects .yaml workflow files, so code search may miss workflows that use the .yaml suffix.
Reviewed by Cursor Bugbot for commit 32036ab. Configure here.
arielkr256
added
the
ai
1 participant
Use when the user asks to audit GitHub Actions workflows for security vulnerabilities, supply chain risks, script injection, dangerous triggers, or attack vectors from the Wiz GitHub Actions threat model. Triggers on requests like "check my GitHub Actions for vulnerabilities", "audit workflows for pwn requests", "scan for script injection in workflows", "check if actions are pinned to commit SHAs", or "audit all public repos for GitHub Actions issues".