ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.58k stars 496 forks source link

Support setting for repository wide read-only token #2633

Open datosh opened 1 year ago

datosh commented 1 year ago

Is your feature request related to a problem? Please describe. Based on Scorecard findings I have minimized the permissions of all tokens in our project. Thanks for helping to improve our security! ❤️

After merging the minimized permissions to main, I have set the repository setting Workflow permissions to read repository contents and went to see my reduced security warnings, just to discovered that this is a documented limitation in Scorecard/GitHub API: "The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available."

This now reports a lot (>50) false positives in our repository, which costs a lot of engineering time to triage.

Describe the solution you'd like

  1. Support an additional CLI argument, e.g., --assume-read-only-token. With that the user guarantees that the setting is enforced by some other means, and Scorecard can work with the correct assumptions.
  2. In it's current form there is no value in token-permissions scan for me. An alternative solution would be to allow me to ignore a single scan. Currently scorecard only allows to select specific checks to run, e.g., --check=SAST. I would like to be able to explicitly not run a single check, e.g., --disable-check=token-permissions, so that I can:
    • get the added benefit of additional (future) checks
    • keep my script nice and tidy, and express my desire of not running a single check

Describe alternatives you've considered

I have considered adding

permissions:
  contents: read

to all workflow definitions, but this approach is error prone and time consuming, not to mention: not sensible, since there is already a setting to enforce it 😉

Additional context Have you already discussed how to handle this in the OpenSSF community? Any battle-proven solutions / processes we could adopt here?

datosh commented 1 year ago

I have just checked the GitHub API and discovered this endpoint: https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#get-default-workflow-permissions-for-a-repository

Would this allow Scorecard to query the repository settings?

laurentsimon commented 1 year ago

Hi, do you run the scorecard CLI or do you use the scorecard-action?

I think this API would work so long as a PAT is used (proposed in https://github.com/ossf/scorecard/issues/2556) /cc @diogoteles08

datosh commented 1 year ago

We indeed use the scorecard action: https://github.com/edgelesssys/constellation/blob/main/.github/workflows/scorecard.yml

laurentsimon commented 1 year ago

Thanks. We're working on a config file to allow disabling certain checks. I will keep you posted.

github-actions[bot] commented 1 year ago

Stale issue message - this issue will be closed in 7 days

katexochen commented 1 year ago

This seems to be still am issue. @laurentsimon any update on the config file?

laurentsimon commented 1 year ago

WIP ETA EOY /cc @spencerschrock @gabibguti

github-actions[bot] commented 11 months ago

This issue is stale because it has been open for 60 days with no activity.