Neargye
commented
1 year ago Hi, I would be happy with a PR that will improve security
Closed diogoteles08 closed 1 year ago
Neargye
commented
1 year ago Hi, I would be happy with a PR that will improve security
Hi!
I'd like to suggest the definition of minimal permissions on your workflows, as it would harden your security agains supply-chain attacks.
I see that your workflows don't specify the permissions for its jobs, so their privileges are being determined by GitHub's defaults. If you define minimal permissions you would be secured against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
The idea would be to set a top-level read-only permission on all of the workflows, so that they would be inherited by any job that does not define job-level permissions. As far as I saw, none of your jobs require write permissions, so this change would be enough for now. But if such job is added in the future, you would be able to keep the top-level read-only permissions and add the required new permissions as job-level.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Let me know what you think about this. I'd be happy to raise a PR with the changes if you agree.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊