✨ Consider haskell-actions/hlint-scan a code scanning action (ossf#2846)

* Add haskell-actions/hlint-scan as one of know GitHub actions which upload SARIF. Signed-off-by: Yoo Chung <[email protected]> * Test security-events permissions with actions known to upload SARIF. Signed-off-by: Yoo Chung <[email protected]> --------- Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay <[email protected]>
balteravishay · Apr 13, 2023 · ecc095f · ecc095f
1 parent 34e2f79
commit ecc095f
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/checks/permissions_test.go b/checks/permissions_test.go
@@ -312,6 +312,17 @@ func TestGithubTokenPermissions(t *testing.T) {
 				NumberOfDebug: 4,
 			},
 		},
+		{
+			name:      "security-events write, known actions",
+			filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml"},
+			expected: scut.TestReturn{
+				Error:         nil,
+				Score:         checker.MaxResultScore,
+				NumberOfWarn:  0,
+				NumberOfInfo:  2,  // This is constant.
+				NumberOfDebug: 8,  // This is 4 + (number of actions)
+			},
+		},
 		{
 			name: "two files mix run-level and top-level",
 			filenames: []string{

diff --git a/checks/raw/permissions.go b/checks/raw/permissions.go
@@ -372,6 +372,10 @@ func isAllowedWorkflow(workflow *actionlint.Workflow, fp string, pdata *permissi
 		// allow our own action, which writes sarif files
 		// https://github.com/ossf/scorecard-action
 		"ossf/scorecard-action": true,
+
+		// Code scanning with HLint uploads a SARIF file to GitHub.
+		// https://github.com/haskell-actions/hlint-scan
+		"haskell-actions/hlint-scan": true,
 	}
 
 	tokenPermissions := checker.TokenPermission{

diff --git a/checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml b/checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml
@@ -0,0 +1,48 @@
+# Copyright 2021 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: write-and-read workflow
+on: [push]
+permissions: read-all
+
+# All of the actions below are known to upload SARIF.
+# They should not trigger a warning about the security-events
+# write permission being enabled.
+jobs:
+  codeql-analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: github/codeql-action/analyze@v1
+
+  codeql-upload:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: github/codeql-action/upload-sarif@v1
+
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: ossf/scorecard-action@v1
+
+  haskell-hlint:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: haskell-actions/hlint-scan@v1