Module ghsec::checks::default_worfklow_permissions

The default_workflow_permissions check ensures that the Default Workflow Permissions in a repository use secure values.

There are two settings for Default Workflow Permissions:

• default_workflow_permissions: can be read or write. Defaults to write. This controls whether the default $GITHUB_TOKEN provided to workflows has write access to the repository (contents, pull requests, etc.) or only read access. Setting this to read forces workflow authors to explicitly enable write access for various scopes, which reduces the attack surface of workflows pushed to the repository.
• can_approve_pull_request_reviews: can be true or false. Defaults to true. This controls whether workflows (through the principal represented by the default $GITHUB_TOKEN) is allowed to approve pull requests. Since approving pull requests through a workflow is a way of circumventing branch protections, setting this to false prevents attacks that rely on this behavior.

This check will emit warnings for repository where any of these settings do not use a secure value.

When running with --fix, this will set both these settings to secure values:

• default_workflow_permissions: read
• can_approve_pull_request_reviews: false

Sources

• GitHub Docs
• GitHub REST API

Structs

• DefaultRepositoryWorkflowPermissions 🔒
• DefaultWorkflowPermissions
  Implementation for the default_workflow_permissions check