Detect missing `permissions` key

[johnbillion]

The permissions key can help reduce the impact that a malicious or compromised action can have by restricting its permissions to the minimum required access for the job to run.

It would be great if Octoscan included a rule which detected workflows with a missing permission key. The key can be set at the workflow level, affecting all jobs, and at each job level.

[hugo-syn]

This rule is worth discussing, as it does not depend entirely on the permission attribute defined in the workflow. For example, with a pull_request trigger, the permission linked to the GITHUB_TOKEN will not be the same if it is triggered by a person with write access to the repository or by an external contributor.

There is also a setting at the repository or organization level which drastically reduce the permissions on the token:

For new organizations (after 2023, I think), this setting is enabled by default, and you must explicitly add the required authorizations.