Skip to content

Commit

Permalink
Adjusted to max score with warning if job content are set to write (#…
Browse files Browse the repository at this point in the history
…2355)

Signed-off-by: Eddie Knight <iv.eddieknight@gmail.com>

Signed-off-by: Eddie Knight <iv.eddieknight@gmail.com>
  • Loading branch information
Eddie Knight authored Oct 17, 2022
1 parent 78c7e83 commit c408592
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
3 changes: 2 additions & 1 deletion checks/evaluation/permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -241,8 +241,9 @@ func calculateScore(result map[string]permissions) int {

// contents.
// Allows attacker to commit unreviewed code.
// Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
// High risk: -10
if permissionIsPresent(perms, "contents") {
if permissionIsPresentInTopLevel(perms, "contents") {
score -= checker.MaxResultScore
}

Expand Down
2 changes: 1 addition & 1 deletion checks/permissions_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ func TestGithubTokenPermissions(t *testing.T) {
filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-no-release.yaml"},
expected: scut.TestReturn{
Error: nil,
Score: checker.MinResultScore,
Score: checker.MaxResultScore,
NumberOfWarn: 1,
NumberOfInfo: 1,
NumberOfDebug: 4,
Expand Down

0 comments on commit c408592

Please sign in to comment.