📖 Update Token-Permissions requirement in checks.yaml #1130
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@olivekl any comment? |
| GitHub, and does not support other source hosting repositories (i.e., Forges). | ||
|
|
||
| Setting token permissions to read-only follows the principle of least privilege. | ||
| Setting token permissions to the minimum needed follows the principle of least privilege. | ||
| This is important because attackers may use a compromised token with write | ||
| access to push malicious code into the project. | ||
|
|
||
| The highest score is awarded when the permissions definitions in each workflow's |
There was a problem hiding this comment.
IIUC, this is not in the scope of this PR? If so, let's discuss this in a different PR or issue.
There was a problem hiding this comment.
Thanks for updating this. The new description LGTM.
| @@ -579,19 +579,20 @@ checks: | |||
| description: | | |||
| Risk: `High` (vulnerable to malicious code additions) | |||
|
|
|||
| This check determines whether the project's automated workflows tokens are set | |||
| to read-only by default. It is currently limited to repositories hosted on | |||
| This check determines whether permissions for the project's automated workflows tokens are set | |||
There was a problem hiding this comment.
Nit: change to whether token permissions for the project's automated workflows are set ... for better readability.
|
Closing this PR: the code calculation based on the top-level vs run-level permission will be merged in soon thru #1356 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
Docs update - to change the requirement for the token permissions check.
What is the current behavior? (You can also link to an open issue here)
Relax token permission check or not #1129
What is the new behavior (if this is a feature change)?
New logic is in the PR
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
It will cause the score to increase for some repos.
Other information:
The logic for this change is the following:
The proposed change is a draft, and I expect it to evolve based on discussions...