From e641214c2cfe4d4a272a26e673ce4b4b327dcba4 Mon Sep 17 00:00:00 2001
From: Eddie Knight <knight@linux.com>
Date: Wed, 19 Oct 2022 03:02:17 -0500
Subject: [PATCH] Removed job-level permissions check for actions and packages
 (#2367)

* Removed job-level permissions check for actions and packages

Signed-off-by: Eddie Knight <knight@linux.com>

* Updated unit tests

Signed-off-by: Eddie Knight <knight@linux.com>

Signed-off-by: Eddie Knight <knight@linux.com>
---
 checks/evaluation/permissions.go | 5 ++---
 checks/permissions_test.go       | 4 ++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/checks/evaluation/permissions.go b/checks/evaluation/permissions.go
index 53cc4113603..899e89d616d 100644
--- a/checks/evaluation/permissions.go
+++ b/checks/evaluation/permissions.go
@@ -241,7 +241,6 @@ func calculateScore(result map[string]permissions) int {
 
 		// contents.
 		// Allows attacker to commit unreviewed code.
-		// Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
 		// High risk: -10
 		if permissionIsPresentInTopLevel(perms, "contents") {
 			score -= checker.MaxResultScore
@@ -250,14 +249,14 @@ func calculateScore(result map[string]permissions) int {
 		// packages: https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages.
 		// Allows attacker to publish packages.
 		// High risk: -10
-		if permissionIsPresent(perms, "packages") {
+		if permissionIsPresentInTopLevel(perms, "packages") {
 			score -= checker.MaxResultScore
 		}
 
 		// actions.
 		// May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
 		// High risk: -10
-		if permissionIsPresent(perms, "actions") {
+		if permissionIsPresentInTopLevel(perms, "actions") {
 			score -= checker.MaxResultScore
 		}
 
diff --git a/checks/permissions_test.go b/checks/permissions_test.go
index bb671932ebd..bdc2628abf5 100644
--- a/checks/permissions_test.go
+++ b/checks/permissions_test.go
@@ -64,7 +64,7 @@ func TestGithubTokenPermissions(t *testing.T) {
 			filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-writes-2.yaml"},
 			expected: scut.TestReturn{
 				Error:         nil,
-				Score:         checker.MinResultScore,
+				Score:         checker.MaxResultScore,
 				NumberOfWarn:  3,
 				NumberOfInfo:  2,
 				NumberOfDebug: 4,
@@ -86,7 +86,7 @@ func TestGithubTokenPermissions(t *testing.T) {
 			filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-package-write.yaml"},
 			expected: scut.TestReturn{
 				Error:         nil,
-				Score:         checker.MinResultScore,
+				Score:         checker.MaxResultScore,
 				NumberOfWarn:  1,
 				NumberOfInfo:  1,
 				NumberOfDebug: 4,