Unspecified workflows level permissions
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: github-actions/permissions
Language: YAML
Severity: Warning
Category: Security
Description
Datadog’s GitHub organization defines default permissions for the GITHUB_TOKEN to be restricted (contents:read, metadata:read, and packages:read).
Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.
Non-Compliant Code Examples
jobs:
test:
uses: ./.github/workflows/pr-test.yml
with:
repo: core
secrets: inherit
lint:
- name: Checkout repository
uses: actions/checkout
lint:
- name: Checkout repository
uses: actions/checkout@v2
Compliant Code Examples
name: kubehound-linter
on:
push:
branches:
- main
pull_request:
permissions:
contents: read
jobs:
linter:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
goreleaser.com:443
golang.org:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
storage.googleapis.com:443
uploads.github.com:443
sum.golang.org:443
- name: Setup Golang
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
with:
go-version: "1.22"
- name: Checkout Git Repo
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
- name: golangci-lint
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
with:
version: v1.56.2
args: ./...
