Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Call Ledger CodeQL analysis | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1 | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 28 days ago
In general, the fix is to explicitly declare permissions for the GITHUB_TOKEN either at the workflow root (applies to all jobs) or at the job level (applies only to that job), and to restrict them to the minimal access needed. For a typical CodeQL analysis workflow that only needs to read the repository contents and security events, GitHub’s own starter workflows use read-only or narrowly scoped permissions such as actions: read, contents: read, and security-events: write.
The single best way to fix this without changing existing functionality is to add a permissions block under the analyse job. This keeps the change local to the job highlighted by CodeQL and avoids affecting any other jobs that might later be added to the workflow. A safe, least‑privilege set matching GitHub’s recommended CodeQL configuration is:
permissions:
actions: read
contents: read
security-events: writeThese lines should be indented to align with the other keys under analyse (e.g., name, uses, secrets) in .github/workflows/codeql.yml. No additional methods, imports, or definitions are needed because this is pure workflow configuration.
| @@ -12,5 +12,9 @@ | ||
| jobs: | ||
| analyse: | ||
| name: Call Ledger CodeQL analysis | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1 | ||
| secrets: inherit |
| name: Unit Tests | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_unit_tests.yml@v1 | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 28 days ago
In general, the fix is to add an explicit permissions block that grants the least privileges necessary for the workflow. For a unit-test workflow that just checks out code and runs tests, contents: read is typically sufficient. Since this job delegates to a reusable workflow, the best non-breaking change is to define a conservative, read-only permission set at the job level; if the reusable workflow needs additional, more specific write scopes, they can be added later based on actual needs.
Concretely, in .github/workflows/unit-tests.yml, under the unit_tests job (around line 14), add a permissions: section aligned with the existing keys (name, uses, secrets). The minimal, safe block is:
permissions:
contents: readThis limits the GITHUB_TOKEN to read repository contents while leaving the rest unchanged. No imports, methods, or other definitions are needed, as this is a pure YAML configuration change inside the shown file and snippet.
| @@ -12,5 +12,7 @@ | ||
| jobs: | ||
| unit_tests: | ||
| name: Unit Tests | ||
| permissions: | ||
| contents: read | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_unit_tests.yml@v1 | ||
| secrets: inherit |
|
Closing this PR for now. |
1 participant
This PR migrates workflows to use centralized reusable workflows from
LedgerHQ/ledger-app-workflows.