Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Minimum Permissions Map #18517

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Add Minimum Permissions Map #18517

wants to merge 4 commits into from
+365 −14

Conversation

KyFaSt
Copy link
Contributor

@KyFaSt KyFaSt commented Jan 16, 2025

Pull Request checklist

Add a map to suggest the minimum permissions needed for the GITHUB_TOKEN when commonly used GitHub owned actions are detected

All query authors

Internal query authors only

  • Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).
  • Changes are validated at scale (internal access required).
  • Adding a new query? Consider also adding the query to autofix.

@KyFaSt
Add Minimum Permissions Map
8ed7d3d 
* detect commonly used GitHub owned actions use a map to suggest the
  minimum permissions needed for the GITHUB_TOKEN
@github-actions github-actions bot added the Actions Analysis of GitHub Actions label Jan 16, 2025
@KyFaSt
Copy link
Contributor Author

KyFaSt commented Jan 16, 2025

Hi @dave-bartolomeo here's the draft we discussed

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 16, 2025
View reviewed changes
actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
// using the data extension or there are no uses steps
// that are children of the job
boolean unknownPermissions(Job job) {
minPermissions(job) = "" and result = true or count(job.getAChildNode*().(MinimumActionsPermissions)) = 0 and result = true

Check warning

Code scanning / CodeQL

Counting zero elements Warning

Use not exists(..) instead of checking that there is zero elements in a set.
actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
not e.getName() = "workflow_call"
)
select job,
"Actions Job or Workflow does not set permissions. Recommended minimum permissions are ($@)",

Check warning

Code scanning / CodeQL

Alert message style violation Warning

Alert message should end with a full stop.
actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
)
select job,
"Actions Job or Workflow does not set permissions. Recommended minimum permissions are ($@)",
job, getMinPermissions(job)

Check warning

Code scanning / CodeQL

Alert message style violation Warning

Don't repeat the alert location as a link.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Actions Analysis of GitHub Actions
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@KyFaSt