-
-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce generated permissions to read-all
at top level for generated workflow file
#3026
Comments
@andrewvaughan to post comments with results or push new commits, read-all won't be enough :) But MegaLinter users are free to not use these features and set manually permissions to read-all :) |
Correct! But you should be able to put these permissions per-job. The So to be clear, this isn't replacing the existing As mentioned, it's pedantic, but it does enforce any extra build steps to require explicit permission building per-job, which is best practice. That is what Checkov errors about in the existing workflow. Edit: So it would look something like this: name: MegaLinter
on:
push:
branches:
- main
- production
- staging
pull_request:
##
# Set any build permissions to `read-all` unless explicitly overridden. Important, as
# GitHub defaults to `write-all` which is a security risk.
#
permissions: read-all # <---- Line to add, prevents `CKV2_GHA_1` linting error
## ... env, concurrency, etc ...
jobs:
build:
name: MegaLinter
runs-on: ubuntu-latest
##
# Override the permissions from the default `read-only` set above to what this job needs
# to function. Each job should set their own permissions, accordingly.
#
permissions:
contents: write
issues: write
pull-requests: write
// ... A way to look at this is "hey GitHub, by default, only give any jobs You could imagine a developer adding a job parallel to Finally, adding this line adds zero change to the existing functionality for MegaLinter, which is nice. It's simply an additional layer of security. I've formatted my generated file a little more verbosely with explanatory comments and fully complying with default MegaLinter configurations, if the project wishes to steal any parts of it - feel free: |
@andrewvaughan i fully agree with your clear explanations and will of course accept an incoming PR :) |
I got you fam. |
… workflows (closes oxsecurity#3026)
… workflows (closes oxsecurity#3026)
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
Describe the bug
Checkov (rightfully) complains about
CKV2_GHA_1
that the workflow file leaves permissions to the defaultwrite-all
in.mega-linter.yml
file. This line should be added to the top level:The one build step permissions shouldn't have to change. It's a slightly pedantic issue, but it does occur on the default setup. It will also help prevent any mistakes if users add a second step beyond
build
.The text was updated successfully, but these errors were encountered: