hilbix
commented
2 years ago To stress it:
"Requiring full write to the repo" will never be allowed. No automated process will get this right for strict security reasons.
I already asked GitHubMicrosoft to allow a 2nd scratch-account to protect against permission nightmares (like Travis-CI), but this was declined with no exception. (Perhaps I will retry with some scratch-organization, but AFAICS somemost of those nightmares directly operate on the account level, hence would void your account's safety for no good reason at all, just because they can).
Note to all hackers out there: Please never hack Travis-CI!
Because if you manage to crack into Travis-CI, you immediately gain full read and write access to the majority of security related repositories here on GitHub.
Hacking Travis-CI would not be just some nuclear option. It would be like killing our entire galaxy cluster FTL!
masterwhichgitis about to get rid of, and it has a some time based scanning, which (makes no sense at all to me, because time based re-Evaluation is either a complete waste of effort or always comes too late when dependencies get troyaned, and) also needs to be manually (for every and all of my repositories, probably).What am I doing wrong? What is the right minimal permission set needed to gain security? How does such a report look like and what am I supposed to see (or do not see due to some silent failure at some hidden detail)?
Note that it is insane to have a permanent lowered security setting just to, perhaps, gain some more security at some other place, by chance or even less.
So what are the secure settings to do security scans? (Or is this a trick question to see how many fall to no security at all for the promise of some obscure security?)