Token Permissions

ID

openssf_scorecard/token_permissions

Severity

critical

Category

Levels

Optional

false

Tags

infrastructure, security, supply-chain

Description

Does the project declare tokens in CI/CD as read-only?

This check determines whether the project automated workflows' tokens are set to read-only by default.

Reference: OpenSSF Scorecard - Token Permissions.

Rationale

Setting token permissions to read-only follows the principle of least privilege. This is important because attackers may use a compromised token with write access to push malicious code into the project.

Verification

The highest compliance level is awarded when the permissions definitions in each workflow’s yaml file are set as read-only at the top level and the required write permissions are declared at the run-level. One point is reduced from the level if all jobs have their permissions defined but the top level permissions are not defined. This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be left undefined because of human error.

Additionally, points are reduced if certain write permissions are defined for a job.

Under certain SCM platforms like GitHub, the check cannot detect if the "read-only" permission setting is enabled, as there is no API available for that.

Write permissions causing a small reduction to compliance level:

  • statuses - May allow an attacker to change the result of pre-submit checks and get a PR merged.

  • checks - May allow an attacker to remove pre-submit checks and introduce a bug.

  • security-events - May allow an attacker to read vulnerability reports before a patch is available. However, points are not reduced if the job utilizes a recognized action for uploading SARIF results.

  • deployments - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized.

Write permissions causing a large reduction to compliance level:

  • contents - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command.

  • packages - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command.

  • actions - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.

Remediation

For GitHub:

  • Set permissions as read-all or contents: read as described in GitHub documentation.

  • To help determine the permissions needed for project workflows, the StepSecurity online tool could be used, by ticking on "Restrict permissions for GITHUB_TOKEN". You may also tick on "Pin actions to a full length commit SHA" to fix issues found by the Pinned-dependencies check.

Small Print

Current implementation checks signatures for releases in GitHub only. Support for additional SCM platforms is under development.