Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📖 Adding missing documentation for Token-Permissions #1656

Merged
merged 5 commits into from
Feb 25, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion checks/permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ func calculateScore(result permissionCbData) int {
}

// actions.
// May allow an attacker to steal GitHub secrets by adding a malicious workflow/action.
// May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
// High risk: -10
if permissionIsPresent(perms, permissionActions) {
score -= checker.MaxResultScore
Expand Down
17 changes: 15 additions & 2 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -566,9 +566,22 @@ and the required write permissions are declared at the
One point is reduced from the score if all jobs have their permissions defined but the top level permissions are not defined.
This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be
left undefined because of human error.

The check cannot detect if the "read-only" GitHub permission setting is
enabled, as there is no API available.
enabled, as there is no API available.

Additionally, points are reduced if certain write permissions are defined for a job.

### Write permissions causing a small reduction
* `statuses` - May allow an attacker to change the result of pre-submit checks and get a PR merged.
* `checks` - May allow an attacker to remove pre-submit checks and introduce a bug.
* `security-events` - May allow an attacker to read vulnerability reports before a patch is available. However, points are not reduced if the job utilizes a recognized action for uploading SARIF results.
* `deployments` - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized.

### Write permissions causing a large reduction
* `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.


**Remediation steps**
Expand Down
18 changes: 16 additions & 2 deletions docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -618,9 +618,23 @@ checks:
One point is reduced from the score if all jobs have their permissions defined but the top level permissions are not defined.
This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be
left undefined because of human error.

The check cannot detect if the "read-only" GitHub permission setting is
enabled, as there is no API available.
enabled, as there is no API available.

Additionally, points are reduced if certain write permissions are defined for a job.

### Write permissions causing a small reduction
* `statuses` - May allow an attacker to change the result of pre-submit checks and get a PR merged.
* `checks` - May allow an attacker to remove pre-submit checks and introduce a bug.
* `security-events` - May allow an attacker to read vulnerability reports before a patch is available. However, points are not reduced if the job utilizes a recognized action for uploading SARIF results.
* `deployments` - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized.

### Write permissions causing a large reduction
* `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command.
* `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.

remediation:
- >-
Set permissions as `read-all` or `contents: read` as described in
Expand Down