Open datosh opened 1 year ago
I have just checked the GitHub API and discovered this endpoint: https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#get-default-workflow-permissions-for-a-repository
Would this allow Scorecard to query the repository settings?
Hi, do you run the scorecard CLI or do you use the scorecard-action?
I think this API would work so long as a PAT is used (proposed in https://github.com/ossf/scorecard/issues/2556) /cc @diogoteles08
We indeed use the scorecard action: https://github.com/edgelesssys/constellation/blob/main/.github/workflows/scorecard.yml
Thanks. We're working on a config file to allow disabling certain checks. I will keep you posted.
Stale issue message - this issue will be closed in 7 days
This seems to be still am issue. @laurentsimon any update on the config file?
WIP ETA EOY /cc @spencerschrock @gabibguti
This issue is stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe. Based on Scorecard findings I have minimized the permissions of all tokens in our project. Thanks for helping to improve our security! ❤️
After merging the minimized permissions to
main
, I have set the repository settingWorkflow permissions
toread repository contents
and went to see my reduced security warnings, just to discovered that this is a documented limitation in Scorecard/GitHub API: "The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available."This now reports a lot (>50) false positives in our repository, which costs a lot of engineering time to triage.
Describe the solution you'd like
--assume-read-only-token
. With that the user guarantees that the setting is enforced by some other means, and Scorecard can work with the correct assumptions.token-permissions
scan for me. An alternative solution would be to allow me to ignore a single scan. Currently scorecard only allows to select specific checks to run, e.g.,--check=SAST
. I would like to be able to explicitly not run a single check, e.g.,--disable-check=token-permissions
, so that I can:Describe alternatives you've considered
I have considered adding
to all workflow definitions, but this approach is error prone and time consuming, not to mention: not sensible, since there is already a setting to enforce it 😉
Additional context Have you already discussed how to handle this in the OpenSSF community? Any battle-proven solutions / processes we could adopt here?