ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

cleanup for token doc and code (#552)

Browse Source 
* cleanup

* comment
This commit is contained in:
laurentsimon 2021-06-07 11:01:18 -07:00 committed by GitHub
parent 28b1db9267
commit 2c9a05c721
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
checks/checks.md
View File

@ -128,15 +128,8 @@ This check looks for cryptographically signed tags in the last 5 tags. The check
## Token-Permissions ## Token-Permissions
This check tries to determine if a project's GitHub workflows follow the principle of least privilege, i.e. if the GitHub tokens are set read-only by default. The check currently checks that the 'permission' keyword is used and set to read/none for the 'contents' permission for every workflow yaml file. If other permissions are set globally for the entire file, this check fails. Otherwise it succeeds. This check tries to determine if a project's GitHub workflows follow the principle of least privilege, i.e. if the GitHub tokens are set read-only by default. For each workflow yaml file, the check looks for the permissions keyword. If it is set globally as read-only for the entire file, this check succeeds. Otherwise it fails. The check cannot detect if the "read-only" GitHub permission settings is enabled, as there is no API available.
**Remediation steps** **Remediation steps**
- Use: ``` permissions: - Set permissions as `read-all` or `contents: read` as described in GitHub's [documentation](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions).
contents: read
``` in all your .yaml files.
- If you need more permissions, declare them in the job itself, e.g. ``` jobs: create_commit:
runs-on: ubuntu-latest
permissions:
issues: write
```

25
checks/checks.yaml
View File

@ -19,27 +19,14 @@ checks:
description: >- description: >-
This check tries to determine if a project's GitHub workflows This check tries to determine if a project's GitHub workflows
follow the principle of least privilege, i.e. if the GitHub tokens follow the principle of least privilege, i.e. if the GitHub tokens
are set read-only by default. The check currently checks that the 'permission' are set read-only by default. For each workflow yaml file, the check looks
keyword is used and set to read/none for the 'contents' permission for every workflow for the permissions keyword. If it is set globally as read-only for the entire file,
yaml file. If other permissions are set globally for the entire file, this check fails. this check succeeds. Otherwise it fails. The check cannot detect if the "read-only"
Otherwise it succeeds. GitHub permission settings is enabled, as there is no API available.
remediation: remediation:
- >- - >-
Use: Set permissions as `read-all` or `contents: read` as described in
``` GitHub's [documentation](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions).
permissions:
contents: read
```
in all your .yaml files.
- >-
If you need more permissions, declare them in the job itself, e.g.
```
jobs:
create_commit:
runs-on: ubuntu-latest
permissions:
issues: write
```
Security-Policy: Security-Policy:
description: >- description: >-
This check tries to determine if a project has published a security This check tries to determine if a project has published a security

75
checks/permissions.go
View File

@ -79,55 +79,42 @@ func validateMapPermissions(values map[interface{}]interface{}, path string,
func validateReadPermissions(config map[interface{}]interface{}, path string, func validateReadPermissions(config map[interface{}]interface{}, path string,
logf func(s string, f ...interface{})) (bool, error) { logf func(s string, f ...interface{})) (bool, error) {
permissionFound := false var permissions interface{}
permissionRead := true
var err error
// Iterate over the values. // Check if permissions are set explicitly.
for key, value := range config { permissions, ok := config["permissions"]
if key != "permissions" { if !ok {
continue
}
// We have found the permissions keyword.
permissionFound = true
// Check the type of our values.
switch val := value.(type) {
// Empty string is nil type.
// It defaults to 'none'
case nil:
// String type.
case string:
if !strings.EqualFold(val, "read-all") && val != "" {
logf("!! token-permissions/github-token - permission set to '%v' in %v", val, path)
return false, nil
}
// Map type.
case map[interface{}]interface{}:
var res bool
if res, err = validateMapPermissions(val, path, logf); err != nil {
return false, err
}
if !res {
permissionRead = false
}
// Invalid type.
default:
return false, ErrInvalidGitHubWorkflowFile
}
}
// Did we find a permission at all?
if !permissionFound {
logf("!! token-permissions/github-token - no permission defined in %v", path) logf("!! token-permissions/github-token - no permission defined in %v", path)
return false, nil return false, nil
} }
return permissionRead, nil // Check the type of our values.
switch val := permissions.(type) {
// Empty string is nil type.
// It defaults to 'none'
case nil:
// String type.
case string:
if !strings.EqualFold(val, "read-all") && val != "" {
logf("!! token-permissions/github-token - permission set to '%v' in %v", val, path)
return false, nil
}
// Map type.
case map[interface{}]interface{}:
if res, err := validateMapPermissions(val, path, logf); err != nil {
return false, err
} else if !res {
return false, nil
}
// Invalid type.
default:
return false, ErrInvalidGitHubWorkflowFile
}
return true, nil
} }
// Check file content. // Check file content.