Unspecified workflows level permissions
TRY THIS RULE ID: github-actions/permissions
Language: YAML
Severity: Warning
Category: Security
Description Datadog’s GitHub organization defines default permissions for the GITHUB_TOKEN
to be restricted (contents:read
, metadata:read
, and packages:read
).
Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs . They can be defined at the job or the workflow level.
Non-Compliant Code Examples jobs :
test :
uses : ./.github/workflows/pr-test.yml
with :
repo : core
secrets : inherit
lint :
- name : Checkout repository
uses : actions/checkout
lint :
- name : Checkout repository
uses : actions/checkout@v2
Compliant Code Examples name : kubehound-linter
on :
push :
branches :
- main
pull_request :
permissions :
contents : read
jobs :
linter :
runs-on : ubuntu-latest
steps :
- name : Harden Runner
uses : step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
with :
egress-policy : block
allowed-endpoints : >
api.github.com:443
github.com:443
goreleaser.com:443
golang.org:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
storage.googleapis.com:443
uploads.github.com:443
sum.golang.org:443
- name : Setup Golang
uses : actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
with :
go-version : "1.22"
- name : Checkout Git Repo
uses : actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
- name : golangci-lint
uses : golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
with :
version : v1.56.2
args : ./...
Seamless integrations. Try Datadog Code Analysis