Workflow permissions are not minimal
ID |
cicd_workflow_perms_not_minimal |
Severity |
high |
Family |
CI/ CD tools |
Tags |
cicd-security, infrastructure, reachable, security, supply-chain |
Description
Workflow setting should be configured with the minimum permissions required.
This check determines whether the workflow permissions for a repository are set to read
by default.
Security
GitHub Workflows work with temporary tokens that if stolen can give attackers access to the repository and use this access to potentially bypass restrictions like requiring a reviewer. Minimizing the permissions that the workflow needs would limit the actions of a potential attacker. This policy is looking at GitHub API results.
In GitHub Actions before each job begins, GitHub fetches an installation access token for the job (GITHUB_TOKEN). The GITHUB_TOKEN expires when a job finishes or after a maximum of 24 hours. Ensure the GITHUB_TOKEN is configured with the least privileges to run your jobs. Any user with write access to your repository has read access to all secrets configured in your repository. Therefore, you should ensure that the credentials being used within workflows have the least privileges required.
Mitigation / Fix
For GitHub:
-
Set permissions as
read
as described in GitHub documentation.