miguelmota
commented
2 years ago @arjundashrath thanks! that's a great tool
Closed arjundashrath closed 2 years ago
miguelmota
commented
2 years ago @arjundashrath thanks! that's a great tool
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
StepSecurity is working on securing GitHub workflows and OSSF Scorecards recommends using StepSecurity's secure-workflows online tool app.stepsecurity.io to improve the security of GitHub workflows.
This repository has a Scorecards score of 0/10 in the
Token-Permissionscategory with 10 being the most secure.We have fixed one of the repo's workflow(s) for you by adding permissions for the involved jobs. You can secure the rest of the workflows for improved security by using the StepSecurity online tool at app.stepsecurity.io.