scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard

Published 20 hours ago verified publisher icon ossf

Support setting for repository wide read-only token

Open datosh opened this issue 2 years ago • 12 comments

Is your feature request related to a problem? Please describe. Based on Scorecard findings I have minimized the permissions of all tokens in our project. Thanks for helping to improve our security! ❤️

After merging the minimized permissions to main, I have set the repository setting Workflow permissions to read repository contents and went to see my reduced security warnings, just to discovered that this is a documented limitation in Scorecard/GitHub API: "The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available."

This now reports a lot (>50) false positives in our repository, which costs a lot of engineering time to triage.

Describe the solution you'd like

  1. Support an additional CLI argument, e.g., --assume-read-only-token. With that the user guarantees that the setting is enforced by some other means, and Scorecard can work with the correct assumptions.
  2. In it's current form there is no value in token-permissions scan for me. An alternative solution would be to allow me to ignore a single scan. Currently scorecard only allows to select specific checks to run, e.g., --check=SAST. I would like to be able to explicitly not run a single check, e.g., --disable-check=token-permissions, so that I can:
    • get the added benefit of additional (future) checks
    • keep my script nice and tidy, and express my desire of not running a single check

Describe alternatives you've considered

I have considered adding

permissions:
  contents: read

to all workflow definitions, but this approach is error prone and time consuming, not to mention: not sensible, since there is already a setting to enforce it 😉

Additional context Have you already discussed how to handle this in the OpenSSF community? Any battle-proven solutions / processes we could adopt here?

datosh avatar Jan 31 '23 16:01 datosh

I have just checked the GitHub API and discovered this endpoint: https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#get-default-workflow-permissions-for-a-repository

Would this allow Scorecard to query the repository settings?

datosh avatar Jan 31 '23 19:01 datosh

Hi, do you run the scorecard CLI or do you use the scorecard-action?

I think this API would work so long as a PAT is used (proposed in https://github.com/ossf/scorecard/issues/2556) /cc @diogoteles08

laurentsimon avatar Feb 01 '23 19:02 laurentsimon

We indeed use the scorecard action: https://github.com/edgelesssys/constellation/blob/main/.github/workflows/scorecard.yml

datosh avatar Feb 01 '23 21:02 datosh

Thanks. We're working on a config file to allow disabling certain checks. I will keep you posted.

laurentsimon avatar Feb 01 '23 22:02 laurentsimon

Stale issue message - this issue will be closed in 7 days

github-actions[bot] avatar Sep 17 '23 01:09 github-actions[bot]

This seems to be still am issue. @laurentsimon any update on the config file?

katexochen avatar Sep 17 '23 06:09 katexochen

WIP ETA EOY /cc @spencerschrock @gabibguti

laurentsimon avatar Sep 18 '23 18:09 laurentsimon

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 18 '23 01:11 github-actions[bot]

Just wanted to mention that we still have the described issue.

3u13r avatar Nov 08 '24 13:11 3u13r

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jan 10 '25 02:01 github-actions[bot]

still an issue

katexochen avatar Jan 10 '25 09:01 katexochen

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Mar 23 '25 02:03 github-actions[bot]