Skip to content

Explicit permissions to GitHub workflow #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
killev merged 3 commits into from
Apr 13, 2025
Merged

Explicit permissions to GitHub workflow #3

killev merged 3 commits into from
Apr 13, 2025

Conversation

@killev
Copy link
Collaborator

@killev killev commented Apr 13, 2025

Added a permissions block to the code-quality.yml workflow that limits the workflow's access to only what it needs:

  • Read access to repository contents
  • Write access to security events for scan results

This follows the principle of least privilege and improves overall security.

@killev
Explicit permissions to GitHub workflow
7a7c265 
Added a permissions block to the code-quality.yml workflow that limits the
workflow's access to only what it needs:
- Read access to repository contents
- Write access to security events for scan results

This follows the principle of least privilege and improves overall security.
Copilot AI review requested due to automatic review settings April 13, 2025 12:03
Copilot AI reviewed Apr 13, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

@github-actions
Copy link

github-actions bot commented Apr 13, 2025

🔍 Vulnerabilities of apostrophe-cms:test

📦 Image Reference apostrophe-cms:test
digestsha256:9c4e364f8b5613ff438f37fab382b76447254b0ab026ecb03712f3fa812de522
vulnerabilitiescritical: 0 high: 2 medium: 0 low: 0
platformlinux/amd64
size235 MB
packages1082
📦 Base Image node:23-alpine
also known as
  • 23-alpine3.21
  • 23.11-alpine
  • 23.11-alpine3.21
  • 23.11.0-alpine
  • 23.11.0-alpine3.21
  • alpine
  • alpine3.21
  • current-alpine
  • current-alpine3.21
digestsha256:0d468be7d2997dd2f6a3cda45e121a6b5140eb7ba3eba299a215030dbb0fb1ca
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 async 0.9.2 (npm)

pkg:npm/[email protected]

high 7.8: CVE--2021--43138 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<2.6.4
Fixed version2.6.4, 3.2.2
CVSS Score7.8
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score0.915%
EPSS Percentile74th percentile
Description

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

critical: 0 high: 1 medium: 0 low: 0 async 1.5.2 (npm)

pkg:npm/[email protected]

high 7.8: CVE--2021--43138 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<2.6.4
Fixed version2.6.4, 3.2.2
CVSS Score7.8
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score0.915%
EPSS Percentile74th percentile
Description

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 13, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@killev killev merged commit 68a36a9 into main Apr 13, 2025
7 checks passed
@killev killev deleted the fix-security-issues branch April 13, 2025 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@killev