cicd-pipeline-auditlisted

Audit CI/CD pipelines (GitHub Actions, GitLab CI, CircleCI, Azure Pipelines, Jenkins, Bitbucket) for security, reliability, reproducibility, supply chain, and deploy safety. One sub-agent per workflow. Static, live, apply, and runtime modes.
anthril/official-claude-plugins · ★ 3 · DevOps & Infrastructure · score 82

Install: claude install-skill anthril/official-claude-plugins

# CI/CD Pipeline Audit ultrathink  > **Output path directive (canonical — overrides in-body references).** > All file outputs from this skill MUST be written under `.anthril/audits/cicd-pipeline-audit/`. > Run `mkdir -p .anthril/audits/cicd-pipeline-audit` before the first `Write` call. > Primary artefact: `.anthril/audits/cicd-pipeline-audit/<artefact>`. > Do NOT write to the project root or to bare filenames at cwd. > Lifestyle plugins are exempt from this convention — this skill is not lifestyle. ## When to use Run this skill when the user mentions: - CI/CD audit, GitHub Actions review, pipeline security - Workflow hardening, release pipeline review - Supply chain (SBOM, provenance, signed artefacts) - Concerns about third-party action pinning, minimal permissions, OIDC vs long-lived tokens Covers eight categories across every CI platform: security (minimal permissions, SHA-pinned actions), reliability (timeouts, concurrency, retry), reproducibility (pinned runners and tool versions), speed (cache keys, path filters), supply chain (provenance, SBOM, signing), secrets hygiene, deploy safety (approval gates, environment protection), and observability (failure notifications, required status checks). ## Before You Start 1. **Determine operating mode.** Read `$ARGUMENTS` for mode flags: `--live` enables `gh` / `glab` / `circleci` CLI reads; `--apply` enables per-finding patching; `--runtime` runs `gh workflow run` or equivalent against a