You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GitHub Token Permissions Are Not Set to Minimum in Workflow
Summary
The GitHub token permissions in your workflow file (.github/workflows/test.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.
Why This is Important
Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.
Evidence of Excessive Permissions
For more context, please refer to the build log from your recent workflow run, which highlights the permissions granted to the GitHub token that exceed the recommended minimum.
Suggested Fix
Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:
```diff
name: Test
on:
pull_request:
branches:
- main
push:
branches:
- main # to update code coverage
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs:
test:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
allowed-endpoints: >
api.github.com:443
cli.codecov.io:443
codecov.io:443
uploader.codecov.io:443
github.com:443
proxy.golang.org:443
sum.golang.org:443
storage.googleapis.com:443
objects.githubusercontent.com:443
golang.org:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: 1.17
- name: Run coverage
run: go test ./... -coverpkg=./... -race -coverprofile=coverage.txt -covermode=atomic
env:
PAT: ${{ secrets.GITHUB_TOKEN }}
- uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
Next Steps
Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.
GitHub Token Permissions Are Not Set to Minimum in Workflow
Summary
The GitHub token permissions in your workflow file (.github/workflows/test.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.
Why This is Important
Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.
Evidence of Excessive Permissions
For more context, please refer to the build log from your recent workflow run, which highlights the permissions granted to the GitHub token that exceed the recommended minimum.
Suggested Fix
Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:
```diff name: Test on: pull_request: branches: - main push: branches: - main # to update code coverage permissions: # added using https://github.com/step-security/secure-repo contents: read jobs: test: permissions: contents: read runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: egress-policy: audit allowed-endpoints: > api.github.com:443 cli.codecov.io:443 codecov.io:443 uploader.codecov.io:443 github.com:443 proxy.golang.org:443 sum.golang.org:443 storage.googleapis.com:443 objects.githubusercontent.com:443 golang.org:443 - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 1.17 - name: Run coverage run: go test ./... -coverpkg=./... -race -coverprofile=coverage.txt -covermode=atomic env: PAT: ${{ secrets.GITHUB_TOKEN }} - uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 with: token: ${{ secrets.CODECOV_TOKEN }}Next Steps
Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.
For further guidance, refer to the GitHub documentation on fine-grained permissions.
Severity: High
The text was updated successfully, but these errors were encountered: