DOS4300: Workflow permissions - Default workflow permissions granted to the GITHUB_TOKEN should be restricted to read-only access | Security KB - DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.

This website stores cookies on your computer.These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please review our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

GitHub organization critical builtIn

Description

As a good security practice, you should grant the GITHUB_TOKEN the least required access. Read should be the default permissions granted to the GITHUB_TOKEN when running workflows in your organization. You can specify more granular permissions in the workflow using YAML. Workflows have read permissions in the repository for the contents and packages scopes only. Learn more: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token https://docs.github.com/en/enterprise-cloud@latest/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization

Recommendation

1. Go to Organization Settings. 
2. In the 'Code, planning, and automation' section of the sidebar, click on Actions -> General. 
3. Under the 'Workflow permissions' section. 
4. Ensure the 'Read repository contents and packages permissions' setting is selected.

Policy Rule

{
  "target": "GHActionsPolicies",
  "if": {
    "allOf": [
      {
        "resource": "GHActionsPolicies",
        "property": "DefaultWorkflowPermissions",
        "operator": "equals",
        "value": "read"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

« DOS4210 DOS4320 »

Rule Details

Rule ID: DOS4300
Code: GH_Organization_Actions_Policies_Restrict_Default_Workflow_Permissions_To_Read
Platform: GitHub
Category: organization
Severity: critical
Type: builtIn

DOS4300

Workflow permissions - Default workflow permissions granted to the GITHUB_TOKEN should be restricted to read-only access

DOS4300

Description

Recommendation

Policy Rule

View evaluation logic (JSON)

Rule Details

Related Rules