Skip to content

Commit

Permalink
Removed job-level permissions check for actions and packages (ossf#2367)
Browse files Browse the repository at this point in the history
* Removed job-level permissions check for actions and packages

Signed-off-by: Eddie Knight <knight@linux.com>

* Updated unit tests

Signed-off-by: Eddie Knight <knight@linux.com>

Signed-off-by: Eddie Knight <knight@linux.com>
  • Loading branch information
eddie-knight authored and raghavkaul committed Feb 9, 2023
1 parent 0c8788d commit e641214
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 5 deletions.
5 changes: 2 additions & 3 deletions checks/evaluation/permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,6 @@ func calculateScore(result map[string]permissions) int {

// contents.
// Allows attacker to commit unreviewed code.
// Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
// High risk: -10
if permissionIsPresentInTopLevel(perms, "contents") {
score -= checker.MaxResultScore
Expand All @@ -250,14 +249,14 @@ func calculateScore(result map[string]permissions) int {
// packages: https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages.
// Allows attacker to publish packages.
// High risk: -10
if permissionIsPresent(perms, "packages") {
if permissionIsPresentInTopLevel(perms, "packages") {
score -= checker.MaxResultScore
}

// actions.
// May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
// High risk: -10
if permissionIsPresent(perms, "actions") {
if permissionIsPresentInTopLevel(perms, "actions") {
score -= checker.MaxResultScore
}

Expand Down
4 changes: 2 additions & 2 deletions checks/permissions_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ func TestGithubTokenPermissions(t *testing.T) {
filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-writes-2.yaml"},
expected: scut.TestReturn{
Error: nil,
Score: checker.MinResultScore,
Score: checker.MaxResultScore,
NumberOfWarn: 3,
NumberOfInfo: 2,
NumberOfDebug: 4,
Expand All @@ -86,7 +86,7 @@ func TestGithubTokenPermissions(t *testing.T) {
filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-package-write.yaml"},
expected: scut.TestReturn{
Error: nil,
Score: checker.MinResultScore,
Score: checker.MaxResultScore,
NumberOfWarn: 1,
NumberOfInfo: 1,
NumberOfDebug: 4,
Expand Down

0 comments on commit e641214

Please sign in to comment.