Fix: Resolve Checkov CKV2_GHA_1 error by setting root permissions for…

… workflows (closes oxsecurity#3026)
andrewvaughan · Oct 21, 2023 · aa2d9a9 · aa2d9a9
1 parent ce5706e
commit aa2d9a9
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 1 deletion.
diff --git a/.github/workflows/mega-linter-for-runner.yml b/.github/workflows/mega-linter-for-runner.yml
@@ -16,6 +16,8 @@ env: # Comment env block if you do not want to apply fixes
   APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
   APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)
 
+permissions: read-all # All jobs should have read-only access, unless explicitly given
+
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -16,6 +16,8 @@ env: # Comment env block if you do not want to apply fixes
   APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
   APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)
 
+permissions: read-all # All jobs should have read-only access, unless explicitly given
+
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
 - Fixes
   - build.py: Remove exclusivity between pip, gem & cargo packages
   - Salesforce linters: Switch sfdx-cli to @salesforce/cli
+  - Set default permissions to all workflows to `read-only` to increase security and prevent Checkov `CKV2_GHA_1` errors
 
 - Doc
   - Display list of articles from newest to oldest

diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ _Github PR reporter_
 <!-- table-of-contents-start -->
 ## Table of Contents
 
-- [MegaLinter, by](#megalinter-by-)
+- [MegaLinter, by ](#megalinter-by-)
   - [Table of Contents](#table-of-contents)
   - [Why MegaLinter](#why-megalinter)
   - [Quick Start](#quick-start)
@@ -439,6 +439,8 @@ env: # Comment env block if you don't want to apply fixes
   APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
   APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)
 
+permissions: read-all # All jobs should have read-only access, unless explicitly given
+
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true

diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml
@@ -31,6 +31,8 @@ env:
   # or posted in a PR (pull_request)
   APPLY_FIXES_MODE: commit
 
+permissions: read-all # All jobs should have read-only access, unless explicitly given
+
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true

diff --git a/docs/install-github.md b/docs/install-github.md
@@ -38,6 +38,8 @@ on:
   pull_request:
     branches: [master, main]
 
+permissions: read-all # All jobs should have read-only access, unless explicitly given
+
 env: # Comment env block if you don't want to apply fixes
   # Apply linter fixes configuration
   APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)

diff --git a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml
@@ -31,6 +31,8 @@ env:
   # or posted in a PR (pull_request)
   APPLY_FIXES_MODE: commit
 
+permissions: read-all # All jobs should have read-only access, unless explicitly given
+
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true