search

anchore / sbom-action

GitHub Action for creating software bill of materials using Syft.
Apache License 2.0
169 stars 30 forks source link

Document minimum required permissions #388

Open ericcornelissen opened 2 years ago

ericcornelissen commented 2 years ago

I wanted to use anchore/sbom-action with the dependency-snapshot option but since I always use permissions: read-all (related docs) this didn't work immediately. Instead, the action failed (silently) with the error:

##[warning]Error uploading depdendency snapshot: {
  "url": "https://api.github.com/repos/ericcornelissen/js-regex-security-scanner/dependency-graph/snapshots",
  "status": 403,
  "headers": {
    "access-control-allow-origin": "*",
    "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset",
    "connection": "close",
    "content-encoding": "gzip",
    "content-security-policy": "default-src 'none'",
    "content-type": "application/json; charset=utf-8",
    "date": "Sat, 26 Nov 2022 10:11:03 GMT",
    "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
    "server": "GitHub.com",
    "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
    "transfer-encoding": "chunked",
    "vary": "Accept-Encoding, Accept, X-Requested-With",
    "x-content-type-options": "nosniff",
    "x-frame-options": "deny",
    "x-github-media-type": "github.v3; format=json",
    "x-github-request-id": "07C0:1127:61CD34E:C82A67F:6381E637",
    "x-ratelimit-limit": "100",
    "x-ratelimit-remaining": "99",
    "x-ratelimit-reset": "1669457523",
    "x-ratelimit-resource": "dependency_snapshots",
    "x-ratelimit-used": "1",
    "x-xss-protection": "0"
  },
  "data": {
    "message": "Resource not accessible by integration",
    "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository"
  }
}

From my testing, the required permissions for the dependency-snapshot option are:

permissions:
  content: write

I haven't tried out all other features, but based on their description I think anchore/sbom-action/publish-sbom would need the same permissions to be able to upload the SBOM to a GitHub Release.

I think it would be nice to have the minimum required permissions documented to allow users to easily use the minimum required permissions needed and follow the principle of least privilege.

kzantow commented 2 years ago

Yes, good catch! We definitely need to make it clear which permissions are needed for which features.