Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect missing permissions key #6

Open
johnbillion opened this issue Aug 11, 2024 · 2 comments
Open

Detect missing permissions key #6

johnbillion opened this issue Aug 11, 2024 · 2 comments

Comments

@johnbillion
Copy link

The permissions key can help reduce the impact that a malicious or compromised action can have by restricting its permissions to the minimum required access for the job to run.

It would be great if Octoscan included a rule which detected workflows with a missing permission key. The key can be set at the workflow level, affecting all jobs, and at each job level.
@hugo-syn
Copy link
Collaborator

This rule is worth discussing, as it does not depend entirely on the permission attribute defined in the workflow. For example, with a pull_request trigger, the permission linked to the GITHUB_TOKEN will not be the same if it is triggered by a person with write access to the repository or by an external contributor.

There is also a setting at the repository or organization level which drastically reduce the permissions on the token:

2024-08-12_17-26

For new organizations (after 2023, I think), this setting is enabled by default, and you must explicitly add the required authorizations.

@hugo-syn
Copy link
Collaborator

Hi @johnbillion I think that https://github.com/ossf/scorecard-action can do this :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnbillion @hugo-syn