8000 `checks: write` gha permission is needed for pushing SARIF annotations on Pull Requests · Issue #4583 · ossf/scorecard · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

8000 checks: write gha permission is needed for pushing SARIF annotations on Pull Requests #4583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nitrocode opened this issue Apr 3, 2025 · 1 comment
Open

checks: write gha permission is needed for pushing SARIF annotations on Pull Requests #4583

nitrocode opened this issue Apr 3, 2025 · 1 comment
Labels
check/Token-Permissions

Comments

@nitrocode
Copy link
nitrocode commented Apr 3, 2025
edited
Loading

https://securityscorecards.dev/viewer/?uri=github.com/runatlantis/atlantis

Warn: topLevel 'checks' permission set to 'write': .github/workflows/lint.yml:24

In our case, to push SARIF annotations in a PR from a linter like golangci-lint, it requires checks: write and of course that gets flagged by OpenSSF.

Request:

  • It would be good to call out examples where high privileges in github actions are needed
  • How to least-privilege the action with this permission to improve the score
@spencerschrock
Copy link
Member
spencerschrock commented Apr 11, 2025
edited
Loading

I believe the main concern Scorecard is flagging here is that it's at the top level instead of the job level. Because it's at the workflow level, you're giving other jobs/actions, such as dorny/paths-filter more permission than it needs.

If you move the checks: write permission under the golangci-lint job Scorecard shouldn't deduct points. The warning will still be there, but we should consider removing it.

https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
check/Token-Permissions
Projects
Scorecard - NEW
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spencerschrock @nitrocode
0