Adjusted to max score with warning if job content are set to write (#…

…2355) Signed-off-by: Eddie Knight <iv.eddieknight@gmail.com> Signed-off-by: Eddie Knight <iv.eddieknight@gmail.com>
ossf · Oct 17, 2022 · c408592 · c408592
1 parent 78c7e83
commit c408592
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/checks/evaluation/permissions.go b/checks/evaluation/permissions.go
@@ -241,8 +241,9 @@ func calculateScore(result map[string]permissions) int {
 
 		// contents.
 		// Allows attacker to commit unreviewed code.
+		// Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
 		// High risk: -10
-		if permissionIsPresent(perms, "contents") {
+		if permissionIsPresentInTopLevel(perms, "contents") {
 			score -= checker.MaxResultScore
 		}
 

diff --git a/checks/permissions_test.go b/checks/permissions_test.go
@@ -251,7 +251,7 @@ func TestGithubTokenPermissions(t *testing.T) {
 			filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-no-release.yaml"},
 			expected: scut.TestReturn{
 				Error:         nil,
-				Score:         checker.MinResultScore,
+				Score:         checker.MaxResultScore,
 				NumberOfWarn:  1,
 				NumberOfInfo:  1,
 				NumberOfDebug: 4,