Workflow result
Reports the open control outcome and aggregate exposure signals for this run.
GitHub Actions profile 0.1.0
A useful gate must control who can start the workflow, what its token can do, which exact action code runs, how untrusted text reaches execution, and when a human must approve the next step.
This profile turns current GitHub guidance into eight testable controls, a SHA-pinned workflow, and a privacy-safe CapitalGuard preview. It is a baseline, not a promise that every workflow is safe.
CapitalGuard Security Research | Version 0.1.0 | Sources checked July 17, 2026
Control profile
Each control names the failure mode, the required decision, the evidence to retain, and the matching CapitalGuard Standard control.
| Control | Failure mode | Required action | Evidence |
|---|---|---|---|
CG-GHA-001 Authorized repository scope CGS-AUTH-001 | A security workflow can become an unapproved scan of code the operator does not own or control. | Record repository authorization and keep the workflow scoped to the repository that triggered the run. | authorization-confirmed is explicit and the job does not fetch another private repository. |
CG-GHA-002 Trusted trigger boundary CGS-PRIV-001 | An untrusted actor or event can start a privileged workflow before branch rules or review can intervene. | Use pull_request for untrusted changes. Restrict or prohibit pull_request_target and manual triggers where organizational execution protections are available. | Trigger list, actor policy, event policy, and any evaluated exceptions are retained. |
CG-GHA-003 Read-only token CGS-PRIV-001 | A compromised action can inherit repository write authority through GITHUB_TOKEN. | Declare permissions at workflow or job level and grant contents: read unless a separately reviewed operation needs more. | The workflow contains an explicit minimal permissions block with no implicit write scope. |
CG-GHA-004 Immutable action dependencies CGS-TRACE-001 | A mutable tag can later point to different code while the workflow file appears unchanged. | Pin every third-party action to a verified full-length commit SHA and record the human-readable release in a comment. | All uses references are full 40-character commit SHAs from the intended upstream repositories. |
CG-GHA-005 No persisted checkout credential CGS-SEC-001 | A later step can reuse the checkout credential even when that step does not need repository authentication. | Set persist-credentials: false and provide a separately scoped credential only to a reviewed step that needs it. | Checkout configuration and the absence of later ambient credential use are reviewable in the workflow. |
CG-GHA-006 Untrusted input stays data CGS-INJ-001 | Pull request text, branch names, or other attacker-controlled context can become shell code. | Pass untrusted context through action inputs or intermediate environment variables, never direct expression expansion inside a generated shell script. | Inline run blocks contain no direct executable interpolation of untrusted github context fields. |
CG-GHA-007 OIDC is narrow and optional CGS-ATTEST-001 | Identity permissions can be misunderstood as proof that the workflow logic or repository is safe. | Grant id-token: write only to the job that requests a signed preview or short-lived credential, validate claims server-side, and remove the permission when unused. | The receiving service validates issuer, audience, repository identity, workflow revision, signature, and expiry. |
CG-GHA-008 High-impact actions require a second gate CGS-HUMAN-001 | A passing scan can be treated as permission to deploy, publish, rotate credentials, or change production. | Keep deployment and secret release in a separate protected environment with required review, restricted branches, and no self-approval where available. | Environment protections and the human decision are separate from the scanner result. |
Immutable starter workflow
Both actions are pinned to full commit SHAs. Set manual-controls-confirmed to true only after a person has reviewed least privilege and high-impact approval gates. Remove id-token: write when signed preview is disabled.
actions/checkout v6
df4cb1c069e1874edd31b4311f1884172cec0e10
CapitalGuard Action v1
33d6a70d997c67a53f74247f1bdc83dbeb7d9079
.github/workflows/capitalguard.yml
Raw YAMLname: CapitalGuard AI-agent gate
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
id-token: write # Remove if signed-preview is false.
jobs:
capitalguard:
runs-on: ubuntu-latest
steps:
- name: Check out the triggering repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Check AI-agent exposure
uses: CapitalGuard-Security/capitalguard-action@33d6a70d997c67a53f74247f1bdc83dbeb7d9079 # v1
with:
authorization-confirmed: true
manual-controls-confirmed: true
fail-on: high
signed-preview: true
annotations: false
Evidence chain
Reports the open control outcome and aggregate exposure signals for this run.
Binds the aggregate evidence state to SHA-256 without exposing source or secret values.
Binds a fixed aggregate receipt to verified GitHub workflow identity, expiry, and revocation.
Requires a separate licensed, authorized review and an active official registry record.
Primary documentation
CapitalGuard maps current GitHub documentation into a conservative profile. The sources describe GitHub capabilities and recommendations; they do not independently certify this profile or any repository.
| Source | Control | Documented boundary | Checked |
|---|---|---|---|
| Secure use reference | Least privilege and immutable action references | GitHub recommends read-only repository contents as the default GITHUB_TOKEN permission and states that a full-length commit SHA is the only immutable way to reference an action release. | 2026-07-17 |
| Script injections | Untrusted workflow input | GitHub documents that pull request titles, bodies, branch names, labels, and other context fields can contain attacker-controlled text and must not flow directly into executable scripts. | 2026-07-17 |
| OpenID Connect | Short-lived workflow identity | GitHub documents OIDC as a way for a workflow to request short-lived, scoped identity rather than storing a long-lived cloud credential, while trust still depends on validating claims and policy. | 2026-07-17 |
| Deployments and environments | Human approval and secret release | GitHub environments can require reviewers, restrict deployment branches, and withhold environment secrets until protection rules pass; availability and behavior vary by repository visibility and plan. | 2026-07-17 |
| Workflow execution protections | Actor and event authorization | GitHub's public-preview execution protections can restrict which actors and events start workflows, including controls for pull_request_target and workflow_dispatch, but preview features require current-plan verification. | 2026-07-17 |
Claim boundary
This profile does not prove that an AI agent, workflow, runner, dependency, or repository is safe.
The public CapitalGuard Action reports aggregate exposure signals. It intentionally withholds exact affected paths, proprietary scoring, prevention assets, and CapitalGuard Verified status.
A signed preview proves the integrity and GitHub workflow identity of a fixed aggregate evidence receipt. It does not certify the repository or replace an authorized review.
GitHub plan availability, repository visibility rules, public-preview features, and product behavior can change. Re-check the cited GitHub documentation before enforcement.
Processes launched outside the workflow, compromised runners or hosts, and external systems outside the declared scope remain separate security boundaries.
Continue the evidence trail
When aggregate signals are not enough
The public gate is deliberately limited. A CapitalGuard license adds the authorized reporting, preventive assets, and verification workflow promised by the selected plan.
Method: direct GitHub documentation and immutable public action references, checked July 17, 2026. Material corrections create a new version and retain prior release files instead of silently replacing them.