README
¶
missing-app-token-permissions
Checks that actions/create-github-app-token specifies at least one permission-* input.
Risk
By default, actions/create-github-app-token generates a token with every permission the GitHub App installation has. If a downstream step is compromised, the attacker gains access to all those permissions instead of only the ones actually needed.
Examples
Bad ❌
steps:
- uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
Good ✅
steps:
- uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
permission-contents: write
Explicitly listing permission-* inputs ensures the token follows the principle of least privilege, limiting the blast radius of a compromised step.
Documentation
¶
Index ¶
- type Rule
- func (r *Rule) CheckAction(mapping workflow.ActionMapping) []*diagnostic.Error
- func (r *Rule) CheckWorkflow(mapping workflow.WorkflowMapping) []*diagnostic.Error
- func (r *Rule) Fix() string
- func (r *Rule) ID() string
- func (r *Rule) Online() bool
- func (r *Rule) Required() bool
- func (r *Rule) Why() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Rule ¶
type Rule struct{}
func (*Rule) CheckAction ¶
func (r *Rule) CheckAction(mapping workflow.ActionMapping) []*diagnostic.Error
func (*Rule) CheckWorkflow ¶
func (r *Rule) CheckWorkflow(mapping workflow.WorkflowMapping) []*diagnostic.Error
Source Files
Click to show internal directories.
Click to hide internal directories.