Open datosh opened 1 year ago
I have just checked the GitHub API and discovered this endpoint: https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#get-default-workflow-permissions-for-a-repository
Would this allow Scorecard to query the repository settings?
Hi, do you run the scorecard CLI or do you use the scorecard-action?
I think this API would work so long as a PAT is used (proposed in https://github.com/ossf/scorecard/issues/2556) /cc @diogoteles08
We indeed use the scorecard action: https://github.com/edgelesssys/constellation/blob/main/.github/workflows/scorecard.yml
Thanks. We're working on a config file to allow disabling certain checks. I will keep you posted.
Stale issue message - this issue will be closed in 7 days
This seems to be still am issue. @laurentsimon any update on the config file?
WIP ETA EOY /cc @spencerschrock @gabibguti
This issue is stale because it has been open for 60 days with no activity.
Just wanted to mention that we still have the described issue.
Is your feature request related to a problem? Please describe. Based on Scorecard findings I have minimized the permissions of all tokens in our project. Thanks for helping to improve our security! ❤️
After merging the minimized permissions to
main
, I have set the repository settingWorkflow permissions
toread repository contents
and went to see my reduced security warnings, just to discovered that this is a documented limitation in Scorecard/GitHub API: "The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available."This now reports a lot (>50) false positives in our repository, which costs a lot of engineering time to triage.
Describe the solution you'd like
--assume-read-only-token
. With that the user guarantees that the setting is enforced by some other means, and Scorecard can work with the correct assumptions.token-permissions
scan for me. An alternative solution would be to allow me to ignore a single scan. Currently scorecard only allows to select specific checks to run, e.g.,--check=SAST
. I would like to be able to explicitly not run a single check, e.g.,--disable-check=token-permissions
, so that I can:Describe alternatives you've considered
I have considered adding
to all workflow definitions, but this approach is error prone and time consuming, not to mention: not sensible, since there is already a setting to enforce it 😉
Additional context Have you already discussed how to handle this in the OpenSSF community? Any battle-proven solutions / processes we could adopt here?