Separate permission for security-events that allows publishing without reading all other events #29710
Unanswered
sethmlarson
asked this question in
API and Webhooks
Replies: 1 comment
-
I'd really love a I'm personally just as concerned as everyone else is by the wide-ranging permissions granted to carriers of the |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently
security-events: write
is the only way for a GitHub Action to create security events. However havingwrite
implies the GitHub Action has the ability to read security events as well which has the potential to disclose vulnerabilties to a GitHub Action that's taken over.My gut feeling is that almost all GitHub Actions that require
security-events: write
don't actually needsecurity-events: read
because they only want to publish a security event, not view any already published security events.I discovered this issue when reporting ossf/scorecard#2152 which is where OpenSSF Scorecard will dock points from a repository using it's own GitHub Action because having
security-events: write
is insecure, but it requires the write permission in order to publish it's own findings!Beta Was this translation helpful? Give feedback.
All reactions