search

synacktiv / octoscan

Octoscan is a static vulnerability scanner for GitHub action workflows.
GNU General Public License v3.0
175 stars 11 forks source link

Detect missing `permissions` key #6

Open johnbillion opened 3 months ago

johnbillion commented 3 months ago

The permissions key can help reduce the impact that a malicious or compromised action can have by restricting its permissions to the minimum required access for the job to run.

It would be great if Octoscan included a rule which detected workflows with a missing permission key. The key can be set at the workflow level, affecting all jobs, and at each job level.

hugo-syn commented 3 months ago

This rule is worth discussing, as it does not depend entirely on the permission attribute defined in the workflow. For example, with a pull_request trigger, the permission linked to the GITHUB_TOKEN will not be the same if it is triggered by a person with write access to the repository or by an external contributor.

There is also a setting at the repository or organization level which drastically reduce the permissions on the token:

2024-08-12_17-26

For new organizations (after 2023, I think), this setting is enabled by default, and you must explicitly add the required authorizations.

hugo-syn commented 1 month ago

Hi @johnbillion I think that https://github.com/ossf/scorecard-action can do this :)