zizmor audit for scorecard workflow

guacsec / guac

GUAC aggregates software security metadata into a high fidelity graph database.

https://guac.sh

Apache License 2.0

1.29k stars 176 forks source link

zizmor audit for scorecard workflow #2275

Open funnelfiasco opened 1 week ago

funnelfiasco commented 1 week ago

🌈 completed scorecard.yml
warning[excessive-permissions]: overly broad workflow or job-level permissions
  --> .github/workflows/scorecard.yml:18:1
   |
18 | permissions: read-all
   | --------------------- uses read-all permissions
   |
   = note: audit confidence → High

1 findings (0 ignored): 0 unknown, 0 informational, 0 low, 1 medium, 0 high

funnelfiasco commented 1 week ago

It's not clear if read-all is truly necessary here or not. I opened ossf/scorecard-action#1461 to ask about it.

funnelfiasco commented 1 week ago

Seems that read-all isn't necessary, but a matter of convenience. We may want to do some testing to see how much we can restrict that.