diff --git a/checks/permissions_test.go b/checks/permissions_test.go index 40affa16220..23a4b83bbd5 100644 --- a/checks/permissions_test.go +++ b/checks/permissions_test.go @@ -312,6 +312,17 @@ func TestGithubTokenPermissions(t *testing.T) { NumberOfDebug: 4, }, }, + { + name: "security-events write, known actions", + filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml"}, + expected: scut.TestReturn{ + Error: nil, + Score: checker.MaxResultScore, + NumberOfWarn: 0, + NumberOfInfo: 2, // This is constant. + NumberOfDebug: 8, // This is 4 + (number of actions) + }, + }, { name: "two files mix run-level and top-level", filenames: []string{ diff --git a/checks/raw/permissions.go b/checks/raw/permissions.go index e2415625a32..c2004ec89cd 100644 --- a/checks/raw/permissions.go +++ b/checks/raw/permissions.go @@ -372,6 +372,10 @@ func isAllowedWorkflow(workflow *actionlint.Workflow, fp string, pdata *permissi // allow our own action, which writes sarif files // https://github.com/ossf/scorecard-action "ossf/scorecard-action": true, + + // Code scanning with HLint uploads a SARIF file to GitHub. + // https://github.com/haskell-actions/hlint-scan + "haskell-actions/hlint-scan": true, } tokenPermissions := checker.TokenPermission{ diff --git a/checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml b/checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml new file mode 100644 index 00000000000..6b72f9ec7b6 --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml @@ -0,0 +1,48 @@ +# Copyright 2021 OpenSSF Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +name: write-and-read workflow +on: [push] +permissions: read-all + +# All of the actions below are known to upload SARIF. +# They should not trigger a warning about the security-events +# write permission being enabled. +jobs: + codeql-analyze: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - uses: github/codeql-action/analyze@v1 + + codeql-upload: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - uses: github/codeql-action/upload-sarif@v1 + + scorecard: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - uses: ossf/scorecard-action@v1 + + haskell-hlint: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - uses: haskell-actions/hlint-scan@v1