Skip to content

Commit 2f504b7

Browse files
eddie-knighteddie-knight
authored
Removed job-level permissions check for actions and packages (#2367)
* Removed job-level permissions check for actions and packages Signed-off-by: Eddie Knight <[email protected]> * Updated unit tests Signed-off-by: Eddie Knight <[email protected]> Signed-off-by: Eddie Knight <[email protected]>
1 parent d76bcb6 commit 2f504b7

File tree

2 files changed

+4
-5
lines changed

2 files changed

+4
-5
lines changed

checks/evaluation/permissions.go

+2-3
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,6 @@ func calculateScore(result map[string]permissions) int {
241241

242242
// contents.
243243
// Allows attacker to commit unreviewed code.
244-
// Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
245244
// High risk: -10
246245
if permissionIsPresentInTopLevel(perms, "contents") {
247246
score -= checker.MaxResultScore
@@ -250,14 +249,14 @@ func calculateScore(result map[string]permissions) int {
250249
// packages: https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages.
251250
// Allows attacker to publish packages.
252251
// High risk: -10
253-
if permissionIsPresent(perms, "packages") {
252+
if permissionIsPresentInTopLevel(perms, "packages") {
254253
score -= checker.MaxResultScore
255254
}
256255

257256
// actions.
258257
// May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
259258
// High risk: -10
260-
if permissionIsPresent(perms, "actions") {
259+
if permissionIsPresentInTopLevel(perms, "actions") {
261260
score -= checker.MaxResultScore
262261
}
263262

checks/permissions_test.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ func TestGithubTokenPermissions(t *testing.T) {
6464
filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-writes-2.yaml"},
6565
expected: scut.TestReturn{
6666
Error: nil,
67-
Score: checker.MinResultScore,
67+
Score: checker.MaxResultScore,
6868
NumberOfWarn: 3,
6969
NumberOfInfo: 2,
7070
NumberOfDebug: 4,
@@ -86,7 +86,7 @@ func TestGithubTokenPermissions(t *testing.T) {
8686
filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-package-write.yaml"},
8787
expected: scut.TestReturn{
8888
Error: nil,
89-
Score: checker.MinResultScore,
89+
Score: checker.MaxResultScore,
9090
NumberOfWarn: 1,
9191
NumberOfInfo: 1,
9292
NumberOfDebug: 4,

0 commit comments

Comments
 (0)