Skip to content

Commit

Permalink
Make documentation for actions more accurate
Browse files Browse the repository at this point in the history
  • Loading branch information
Chris McGehee committed Feb 25, 2022
1 parent 659ca06 commit e346208
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion checks/permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -342,7 +342,7 @@ func calculateScore(result permissionCbData) int {
}

// actions.
// May allow an attacker to steal GitHub secrets by adding a malicious workflow/action.
// May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
// High risk: -10
if permissionIsPresent(perms, permissionActions) {
score -= checker.MaxResultScore
Expand Down
2 changes: 1 addition & 1 deletion docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -581,7 +581,7 @@ Additionally, points are reduced if certain write permissions are defined for a
### Write permissions causing a large reduction
* `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `actions` - May allow an attacker to steal GitHub secrets by adding a malicious workflow or action.
* `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.


**Remediation steps**
Expand Down
2 changes: 1 addition & 1 deletion docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -633,7 +633,7 @@ checks:
### Write permissions causing a large reduction
* `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `actions` - May allow an attacker to steal GitHub secrets by adding a malicious workflow or action.
* `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
remediation:
- >-
Expand Down

0 comments on commit e346208

Please sign in to comment.