Skip to content

Commit

Permalink
✨ Consider haskell-actions/hlint-scan a code scanning action (ossf#2846)
Browse files Browse the repository at this point in the history
* Add haskell-actions/hlint-scan as one of know GitHub actions which upload SARIF.

Signed-off-by: Yoo Chung <[email protected]>

* Test security-events permissions with actions known to upload SARIF.

Signed-off-by: Yoo Chung <[email protected]>

---------

Signed-off-by: Yoo Chung <[email protected]>
Signed-off-by: Avishay <[email protected]>
  • Loading branch information
chungyc authored and balteravishay committed Apr 14, 2023
1 parent 2e2878f commit c93b2eb
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 0 deletions.
11 changes: 11 additions & 0 deletions checks/permissions_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -312,6 +312,17 @@ func TestGithubTokenPermissions(t *testing.T) {
NumberOfDebug: 4,
},
},
{
name: "security-events write, known actions",
filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml"},
expected: scut.TestReturn{
Error: nil,
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 2, // This is constant.
NumberOfDebug: 8, // This is 4 + (number of actions)
},
},
{
name: "two files mix run-level and top-level",
filenames: []string{
Expand Down
4 changes: 4 additions & 0 deletions checks/raw/permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,10 @@ func isAllowedWorkflow(workflow *actionlint.Workflow, fp string, pdata *permissi
// allow our own action, which writes sarif files
// https://github.com/ossf/scorecard-action
"ossf/scorecard-action": true,

// Code scanning with HLint uploads a SARIF file to GitHub.
// https://github.com/haskell-actions/hlint-scan
"haskell-actions/hlint-scan": true,
}

tokenPermissions := checker.TokenPermission{
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Copyright 2021 OpenSSF Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: write-and-read workflow
on: [push]
permissions: read-all

# All of the actions below are known to upload SARIF.
# They should not trigger a warning about the security-events
# write permission being enabled.
jobs:
codeql-analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: github/codeql-action/analyze@v1

codeql-upload:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: github/codeql-action/upload-sarif@v1

scorecard:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: ossf/scorecard-action@v1

haskell-hlint:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: haskell-actions/hlint-scan@v1

0 comments on commit c93b2eb

Please sign in to comment.