Harden GitHub Actions Workflow - wf2.yml

[stepsecurity-int]

GitHub Token Permissions Are Not Set to Minimum in Workflow

Summary

The GitHub token permissions in your workflow file (.github/workflows/wf2.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.

Why This is Important

Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.

Evidence of Excessive Permissions

For more context, please refer to the build log from your recent workflow run, which highlights the permissions granted to the GitHub token that exceed the recommended minimum.

Suggested Fix

Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:

  name: Test GitHubToken Excessive Permissions
  on:
    push:
      branches:
        - main
+ permissions:
+   contents: read
  jobs:
    test-permissions:
      runs-on: ubuntu-latest
      # Overly broad permissions for GITHUB_TOKEN
      permissions:
        contents: write
        issues: write
        pull-requests: write
        actions: write
        checks: write
        deployments: write
        statuses: write
        packages: write
        repository-projects: write
        discussions: write
        security-events: write  # This one, in particular, should raise a flag as it's typically not needed for most workflows
      steps:
        - name: Checkout code
          uses: actions/checkout@v3
        - name: Dummy Step
          run: echo "This is to test excessive token permissions"

Next Steps

Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.

If you'd like us to create a pull request with the suggested changes for you, comment /secure-workflow on this issue, and we will handle the rest.

For further guidance, refer to the GitHub documentation on fine-grained permissions.

Severity: High

[Raj-StepSecurity]

/secure-workflow

[stepsecurity-int]

A pull request #4 has been created to remediate the identified security issues. Please review and merge it at your earliest convenience!

Thank you for helping us apply security best practices!

[Raj-StepSecurity]

/secure-workflow

[stepsecurity-int]

A pull request has been created to address the issue. You can view the PR here.

If you still want to create a new PR, please close this one and retry. Feel free to connect with us regarding any queries.