Workflow permissions are not minimal

ID

cicd_workflow_perms_not_minimal

Severity

high

Family

CI/ CD tools

Tags

cicd-security, infrastructure, reachable, security, supply-chain

Description

Workflow setting should be configured with the minimum permissions required.

This check determines whether the workflow permissions for a repository are set to read by default.

Security

GitHub Workflows work with temporary tokens that if stolen can give attackers access to the repository and use this access to potentially bypass restrictions like requiring a reviewer. Minimizing the permissions that the workflow needs would limit the actions of a potential attacker. This policy is looking at GitHub API results.

In GitHub Actions before each job begins, GitHub fetches an installation access token for the job (GITHUB_TOKEN). The GITHUB_TOKEN expires when a job finishes or after a maximum of 24 hours. Ensure the GITHUB_TOKEN is configured with the least privileges to run your jobs. Any user with write access to your repository has read access to all secrets configured in your repository. Therefore, you should ensure that the credentials being used within workflows have the least privileges required.

Mitigation / Fix

For GitHub: