GitHub Actions

Policies for securing GitHub Actions workflows. Enforce pinned action versions, restrict permissions, prevent secret exposure, and validate workflow configuration.

Kyverno JSON policies for scanning GitHub Actions workflow files with nctl scan github-actions.

What’s Covered

  • Pin action versions to full commit SHAs (not mutable tags)
  • Restrict workflow permissions to least-privilege
  • Detect secret exposure in environment variables
  • Enforce branch protection for workflow triggers
  • Validate workflow file structure and syntax

All GitHub Actions policies are available in the Nirmata policy library on GitHub.