fix: excessive-permissions: be less noisy on one-job workflows (#337)

woodruffw · Dec 19, 2024 · 82bbdb4 · 82bbdb4
1 parent 53ccaec
commit 82bbdb4
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 1 deletion.
diff --git a/src/audit/excessive_permissions.rs b/src/audit/excessive_permissions.rs
@@ -7,7 +7,7 @@ use github_actions_models::{
 
 use super::{audit_meta, WorkflowAudit};
 use crate::{
-    finding::{Confidence, Severity},
+    finding::{Confidence, Persona, Severity},
     AuditState,
 };
 
@@ -56,12 +56,24 @@ impl WorkflowAudit for ExcessivePermissions {
         workflow: &'w crate::models::Workflow,
     ) -> anyhow::Result<Vec<crate::finding::Finding<'w>>> {
         let mut findings = vec![];
+
+        // Top-level permissions are a minor issue if there's only one
+        // job in the workflow, since they're equivalent to job-level
+        // permissions in that case. Emit only pedantic findings in
+        // that case.
+        let persona = if workflow.jobs.len() == 1 {
+            Persona::Pedantic
+        } else {
+            Persona::Regular
+        };
+
         // Top-level permissions.
         for (severity, confidence, note) in self.check_permissions(&workflow.permissions, None) {
             findings.push(
                 Self::finding()
                     .severity(severity)
                     .confidence(confidence)
+                    .persona(persona)
                     .add_location(
                         workflow
                             .location()

diff --git a/tests/snapshot.rs b/tests/snapshot.rs
@@ -316,3 +316,21 @@ fn cache_poisoning() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn excessive_permissions() -> Result<()> {
+    insta::assert_snapshot!(zizmor()
+        .workflow(workflow_under_test(
+            "excessive-permissions/issue-336-repro.yml"
+        ))
+        .run()?);
+
+    insta::assert_snapshot!(zizmor()
+        .workflow(workflow_under_test(
+            "excessive-permissions/issue-336-repro.yml"
+        ))
+        .args(["--pedantic"])
+        .run()?);
+
+    Ok(())
+}
diff --git a/tests/snapshots/snapshot__excessive_permissions-2.snap b/tests/snapshots/snapshot__excessive_permissions-2.snap
@@ -0,0 +1,15 @@
+---
+source: tests/snapshot.rs
+expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).args([\"--pedantic\"]).run()?"
+snapshot_kind: text
+---
+error[excessive-permissions]: overly broad workflow or job-level permissions
+ --> @@INPUT@@:3:1
+  |
+3 | / permissions:
+4 | |   contents: write
+  | |_________________^ contents: write is overly broad at the workflow level
+  |
+  = note: audit confidence → High
+
+1 finding: 0 unknown, 0 informational, 0 low, 0 medium, 1 high
diff --git a/tests/snapshots/snapshot__excessive_permissions.snap b/tests/snapshots/snapshot__excessive_permissions.snap
@@ -0,0 +1,6 @@
+---
+source: tests/snapshot.rs
+expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).run()?"
+snapshot_kind: text
+---
+No findings to report. Good job! (1 suppressed)
diff --git a/tests/test-data/excessive-permissions/issue-336-repro.yml b/tests/test-data/excessive-permissions/issue-336-repro.yml
@@ -0,0 +1,12 @@
+on: push
+
+permissions:
+  contents: write
+
+jobs:
+  single:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false