Skip to content

Task/npt 1102 resolve checkov top level permission error#29

Merged
soji-kainos-nhs-temp merged 2 commits intodevelopfrom
task/NPT-1102_Resolve_checkov_top_level_permission_error
Mar 4, 2026
Merged

Task/npt 1102 resolve checkov top level permission error#29
soji-kainos-nhs-temp merged 2 commits intodevelopfrom
task/NPT-1102_Resolve_checkov_top_level_permission_error

Conversation

@soji-kainos-nhs-temp
Copy link
Collaborator

@soji-kainos-nhs-temp soji-kainos-nhs-temp commented Mar 4, 2026

Description

Context

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 4, 2026
View reviewed changes
.github/workflows/cicd-1-pull-request.yaml

permissions:
contents: read
id-token: write

Check notice

Code scanning / SonarCloud

Write permissions should be defined at the job level Low

Move this write permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/cicd-2-publish.yaml
# checkov:skip=CKV2_GHA_1: "Ensure top-level permissions are not set to write-all. TODO- NPT-1102"

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/cicd-2-publish.yaml

permissions:
contents: read
id-token: write

Check notice

Code scanning / SonarCloud

Write permissions should be defined at the job level Low

Move this write permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/cicd-3-deploy.yaml
name: "CI/CD deploy"

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/cicd-3-deploy.yaml

permissions:
contents: read
id-token: write

Check notice

Code scanning / SonarCloud

Write permissions should be defined at the job level Low

Move this write permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/cicd-4-deploy-sandbox.yaml
name: "CI/CD deploy sandbox API"

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/cicd-4-deploy-sandbox.yaml

permissions:
contents: read
id-token: write

Check notice

Code scanning / SonarCloud

Write permissions should be defined at the job level Low

Move this write permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/stage-1-commit.yaml
name: "Commit stage"

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/stage-2-test.yaml
name: "Test stage"

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud
.github/workflows/stage-4-acceptance.yaml
name: "Acceptance stage"

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud
@soji-kainos-nhs-temp soji-kainos-nhs-temp merged commit 188cbc1 into develop Mar 4, 2026
40 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@soji-kainos-nhs-temp