Skip to content

Harden GitHub Actions Workflow - kbanalysis.yml #2494

New issue
New issue
Closed
Closed
Harden GitHub Actions Workflow - kbanalysis.yml#2494
Labels
High Severity
@stepsecurity-int

Description

@stepsecurity-int
stepsecurity-int
bot
opened on Nov 6, 2024

GitHub Token Permissions Are Not Set to Minimum in Workflow

Summary

The GitHub token permissions in your workflow file (.github/workflows/kbanalysis.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.

Why This is Important

Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.

Evidence of Excessive Permissions

For more context, please refer to the build log from your recent workflow run, which highlights the permissions granted to the GitHub token that exceed the recommended minimum.

Suggested Fix

Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:

```diff
  name: KBAnalysis
  on:
    workflow_dispatch:
      inputs:
        owner:
          type: string
          description: owner of the missing KB
        repo:
          type: string
          description: repo of the missing KB     
  permissions:
    contents: read
  jobs:
    Analysis:
      runs-on: ubuntu-latest
      permissions:
        issues: write
        contents: write
        pull-requests: write
      steps:
        - name: Harden Runner
          uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
          with:
            egress-policy: audit
        - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
          with:
            repository: step-security/secure-repo
        - name: KBAnalysis
          uses: step-security/secure-workflows/kbanalysis@main
          with:
            github-token: ${{secrets.PAT}}
            owner: ${{inputs.owner}}
            repo : ${{inputs.repo}}
        - id: get-action
          uses: actions/github-script@5d03ada4b0a753e9460b312e61cc4f8fdeacf163
          with:
            script: |
              var id = "${{github.event.issue.title}}".split(' ')[6]
              core.setOutput('id', id)
        - name: Create Pull Request
          uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672
          with:
            token: ${{secrets.PAT}} #  need to use PAT since GITHUB_TOKEN does not initiate workflows
            commit-message: "added action-security.yml for ${{inputs.owner}}/${{inputs.repo}}"
            title: "[KB] Add GitHub token permissions for ${{inputs.owner}}/${{inputs.repo}}"
            branch: "kb-${{inputs.owner}}-${{inputs.repo}}"
            base: "knowledge-base"
            body: "PR added by kb-analysis workflow"
            labels: "knowledge-base"

Next Steps

Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.

For further guidance, refer to the GitHub documentation on fine-grained permissions.

Severity: High

Metadata

Metadata

Assignees

No one assigned

    Labels

    High Severity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions