From c40859202d739b31fd060ac5b30d17326cd74275 Mon Sep 17 00:00:00 2001
From: Eddie Knight <iv.eddieknight@gmail.com>
Date: Mon, 17 Oct 2022 13:19:04 -0500
Subject: [PATCH] Adjusted to max score with warning if job content are set to
 write (#2355)

Signed-off-by: Eddie Knight <iv.eddieknight@gmail.com>

Signed-off-by: Eddie Knight <iv.eddieknight@gmail.com>
---
 checks/evaluation/permissions.go | 3 ++-
 checks/permissions_test.go       | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/checks/evaluation/permissions.go b/checks/evaluation/permissions.go
index d7146e8193b..53cc4113603 100644
--- a/checks/evaluation/permissions.go
+++ b/checks/evaluation/permissions.go
@@ -241,8 +241,9 @@ func calculateScore(result map[string]permissions) int {
 
 		// contents.
 		// Allows attacker to commit unreviewed code.
+		// Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
 		// High risk: -10
-		if permissionIsPresent(perms, "contents") {
+		if permissionIsPresentInTopLevel(perms, "contents") {
 			score -= checker.MaxResultScore
 		}
 
diff --git a/checks/permissions_test.go b/checks/permissions_test.go
index 5e575136b7b..bb671932ebd 100644
--- a/checks/permissions_test.go
+++ b/checks/permissions_test.go
@@ -251,7 +251,7 @@ func TestGithubTokenPermissions(t *testing.T) {
 			filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-no-release.yaml"},
 			expected: scut.TestReturn{
 				Error:         nil,
-				Score:         checker.MinResultScore,
+				Score:         checker.MaxResultScore,
 				NumberOfWarn:  1,
 				NumberOfInfo:  1,
 				NumberOfDebug: 4,