Harden GitHub Actions Workflow - wf6.yml #116
Description
GitHub Hosted Runner Should Be Hardened
Summary
The GitHub-hosted runner used in your workflow file (.github/workflows/wf6.yml) is not sufficiently hardened against potential security threats. Hardening the runner enhances security by mitigating risks such as unauthorized network egress credential exfiltration, and source code tampering.
Why This is Important
Unhardened GitHub-hosted runners create significant security vulnerabilities in your CI/CD environment. When workflows, dependencies or build tools become compromised, attackers can steal credentials and source code through network access. The build process itself becomes vulnerable, allowing malicious actors to introduce backdoors and security flaws into your artifacts.
For further guidance, refer to the Harden-Runner documentation.
Github Actions Should Be Pinned
Summary
The GitHub Actions used in your workflow file (.github/workflows/wf6.yml) are not pinned properly.
Pinning actions ensures that your workflow runs with a known, trusted version of the action, reducing the risk of unexpected behavior or vulnerabilities caused by changes in the upstream action.
Why This is Important
Using unpinned versions of GitHub Actions in workflows can expose your repository to potential security and stability risks.
Actions that are not pinned may automatically use the latest version, which could introduce breaking changes, unexpected behavior, or even vulnerabilities. By pinning actions to a specific version or commit SHA, you ensure that your workflows run consistently and securely with a trusted version of the action.
This reduces the risk of your workflows being impacted by upstream changes.
For further guidance, refer to the GitHub Security Guide on Pinning Actions
GitHub Token Permissions Are Not Set to Minimum in Workflow
Summary
The GitHub token permissions in your workflow file (.github/workflows/wf6.yml) exceed the minimum required.
Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token,
thereby lowering the risk of accidental or malicious misuse.
Why This is Important
Using excessive permissions in GitHub workflows can expose your repository to potential security risks.
The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood
of sensitive actions being performed without justification. By applying the principle of least privilege,
you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.
For further guidance, refer to the GitHub documentation on fine-grained permissions.
Evidence of Excessive Permissions
For more context, please refer to the build log from your recent workflow run.
Suggested Fix
Update your workflow file with this suggested configuration to resolve this issue:
name: Test GitHubToken Excessive Permissions
on:
push:
branches:
- main
+ permissions:
+ contents: read
jobs:
test-permissions:
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
pull-requests: write
actions: write
checks: write
deployments: write
statuses: write
packages: write
repository-projects: write
discussions: write
security-events: write
steps:
- name:
+ Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
+ with:
+ egress-policy: audit
+ - name:
Checkout code
uses: actions/checkout@
- v
+ f43a0e5ff2bd2940956
3
+ 8e18286ca9a3d1956744
- name: Dummy Step
run: echo "This is to test excessive token permissions"Next Steps
Please review and update the workflow file with the above changes.
If you'd like us to create a pull request with the suggested changes for you, comment /secure-workflow on this issue, and we will handle the rest.
Severity: High