You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GitHub Token Permissions Are Not Set to Minimum in Workflow
Summary
The GitHub token permissions in your workflow file (.github/workflows/codeql.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.
Why This is Important
Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.
Suggested Fix
Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:
name: "CodeQL"
on:
push:
branches:
- main
- 'devel-*'
pull_request:
# The branches below must be a subset of the branches above
branches:
- main
- 'devel-*'
schedule:
- cron: '30 15 * * 3'
+ permissions:+ contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'python' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://git.io/codeql-language-support
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v3
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
#- run: |
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
Next Steps
Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.
GitHub Token Permissions Are Not Set to Minimum in Workflow
Summary
The GitHub token permissions in your workflow file (.github/workflows/codeql.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.
Why This is Important
Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.
Suggested Fix
Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:
name: "CodeQL" on: push: branches: - main - 'devel-*' pull_request: # The branches below must be a subset of the branches above branches: - main - 'devel-*' schedule: - cron: '30 15 * * 3' + permissions: + contents: read jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: [ 'python' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project # uses a compiled language #- run: | # make bootstrap # make release - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3Next Steps
Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.
For further guidance, refer to the GitHub documentation on fine-grained permissions.
Severity: High
The text was updated successfully, but these errors were encountered: