search

super-linter / super-linter

Combination of multiple linters to run as a GitHub Action or standalone
https://github.com/super-linter/super-linter
MIT License
9.24k stars 942 forks source link

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all" #5652

Closed UsernameAlvarez closed 1 month ago

UsernameAlvarez commented 1 month ago

Is there an existing issue for this?

Current Behavior

I'm using a reusable workflows and I set the permissions inside specific jobs for building and deploying images, and the secrets are inherited properly. permissions: contents: read id-token: write

I'am not explicitly specifying "write-all" as a top level permission , but the linting check is still failing. May be the linting tool is flagging the specific permissions granted within the workflow as potentially problematic, even if "write-all" is not explicitly stated.

Expected Behavior

As a previous version of the linting tools the workflow should run without encountering any errors or github actions failures during the execution. We only actualize the actions version for the jobs into the pipelines and updated the linting version due to dependabot updates.

Super-Linter version

Since v6.0.0 to last

Relevant log output

Error: -09 16:00:25 [ERROR]   Errors found in CHECKOV
Error: -09 16:00:25 [ERROR]   Command output for CHECKOV:

dockerfile scan results:
Passed checks: 246, Failed checks: 0, Skipped checks: 0

github_actions scan results:
Passed checks: 188, Failed checks: 8, Skipped checks: 0

"Ensure top-level permissions are not set to write-all"
    FAILED for resource: on(Deploy to example)
    File: /.github/workflows/cd-deploy-to-example.yml:0-1

Steps To Reproduce

The checks failed in the github actions scan, everything is OK in the codebase.

Anything else?

No response

ferrarimarco commented 1 month ago

Hi @UsernameAlvarez !

This seems like an issue with Checkov, not super-linter itself.

I would raise this in their repository.