From ad0349935ff524e40a8d97788072c4dce6732bb9 Mon Sep 17 00:00:00 2001 From: shubham-stepsecurity Date: Fri, 6 Sep 2024 17:01:10 +0530 Subject: [PATCH 1/2] Do not set permissions for jobs with GITHUB_TOKEN in job level env --- remediation/workflow/metadata/actionmetadata.go | 1 + remediation/workflow/permissions/permissions.go | 16 ++++++++++++++++ .../input/github-token-in-job-env.yml | 16 ++++++++++++++++ .../output/github-token-in-job-env.yml | 1 + 4 files changed, 34 insertions(+) create mode 100644 testfiles/joblevelpermskb/input/github-token-in-job-env.yml create mode 100644 testfiles/joblevelpermskb/output/github-token-in-job-env.yml diff --git a/remediation/workflow/metadata/actionmetadata.go b/remediation/workflow/metadata/actionmetadata.go index 1fb20302..98cf4b6c 100644 --- a/remediation/workflow/metadata/actionmetadata.go +++ b/remediation/workflow/metadata/actionmetadata.go @@ -30,6 +30,7 @@ type Step struct { type Job struct { Permissions Permissions `yaml:"permissions"` Uses string `yaml:"uses"` + Env Env `yaml:"env"` // RunsOn []string `yaml:"runs-on"` Steps []Step `yaml:"steps"` } diff --git a/remediation/workflow/permissions/permissions.go b/remediation/workflow/permissions/permissions.go index b26d63a3..8ffa5d7a 100644 --- a/remediation/workflow/permissions/permissions.go +++ b/remediation/workflow/permissions/permissions.go @@ -38,6 +38,7 @@ const errorMissingAction = "KnownIssue-4: Action %s is not in the knowledge base const errorAlreadyHasPermissions = "KnownIssue-5: Permissions were not added to the job since it already had permissions defined" const errorDockerAction = "KnownIssue-6: Action %s is a docker action which uses Github token. Docker actions that uses token are not supported" const errorReusableWorkflow = "KnownIssue-7: Action %s is a reusable workflow. Reusable workflows are not supported as of now." +const errorGithubTokenInJobEnv = "KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable" const errorIncorrectYaml = "Unable to parse the YAML workflow file" // To avoid a typo while adding the permissions @@ -78,6 +79,15 @@ func alreadyHasWorkflowPermissions(workflow metadata.Workflow) bool { return workflow.Permissions.IsSet } +func githubTokenInJobLevelEnv(job metadata.Job) bool { + for _, envValue := range job.Env { + if strings.Contains(envValue, "secrets.GITHUB_TOKEN") || strings.Contains(envValue, "github.token") { + return true + } + } + return false +} + func AddWorkflowLevelPermissions(inputYaml string, addProjectComment bool) (string, error) { workflow := metadata.Workflow{} @@ -177,6 +187,12 @@ func AddJobLevelPermissions(inputYaml string) (*SecureWorkflowReponse, error) { continue } + if githubTokenInJobLevelEnv(job) { + fixWorkflowPermsReponse.HasErrors = true + errors[jobName] = append(errors[jobName], errorGithubTokenInJobEnv) + continue + } + if metadata.IsCallingReusableWorkflow(job) { fixWorkflowPermsReponse.HasErrors = true errors[jobName] = append(errors[jobName], fmt.Sprintf(errorReusableWorkflow, job.Uses)) diff --git a/testfiles/joblevelpermskb/input/github-token-in-job-env.yml b/testfiles/joblevelpermskb/input/github-token-in-job-env.yml new file mode 100644 index 00000000..a1368dcb --- /dev/null +++ b/testfiles/joblevelpermskb/input/github-token-in-job-env.yml @@ -0,0 +1,16 @@ +name: Job level env +on: + pull_request: + branches: [main] + +jobs: + job-with-error: + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - name: some step that uses token + run: | + npm ci \ No newline at end of file diff --git a/testfiles/joblevelpermskb/output/github-token-in-job-env.yml b/testfiles/joblevelpermskb/output/github-token-in-job-env.yml new file mode 100644 index 00000000..19a913d7 --- /dev/null +++ b/testfiles/joblevelpermskb/output/github-token-in-job-env.yml @@ -0,0 +1 @@ +KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable \ No newline at end of file From fa5ec87148ab95fd9cadb07bf8071bc0a978bf38 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Fri, 6 Sep 2024 05:27:00 -0700 Subject: [PATCH 2/2] Update KB and action tags --- .github/workflows/automatePR.yml | 4 ++-- .github/workflows/codeql.yml | 4 ++-- .github/workflows/int.yml | 4 ++-- .github/workflows/kb-test.yml | 4 ++-- .github/workflows/kbanalysis.yml | 4 ++-- .github/workflows/release.yml | 6 +++--- .github/workflows/scorecards.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- .../actions/remove-disabled-formulae/action-security.yml | 2 -- 9 files changed, 17 insertions(+), 19 deletions(-) delete mode 100644 knowledge-base/actions/homebrew/actions/remove-disabled-formulae/action-security.yml diff --git a/.github/workflows/automatePR.yml b/.github/workflows/automatePR.yml index 601156b1..3f7d2b00 100644 --- a/.github/workflows/automatePR.yml +++ b/.github/workflows/automatePR.yml @@ -17,11 +17,11 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: repository: step-security/secure-repo diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e540ccc3..dc85a5fa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,12 +41,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index d1210f38..a5c97512 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: audit - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: fetch-depth: 0 - name: Set up Go diff --git a/.github/workflows/kb-test.yml b/.github/workflows/kb-test.yml index 5819dc6a..2ba76527 100644 --- a/.github/workflows/kb-test.yml +++ b/.github/workflows/kb-test.yml @@ -14,7 +14,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v1 + - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: allowed-endpoints: > api.github.com:443 @@ -25,7 +25,7 @@ jobs: objects.githubusercontent.com:443 golang.org:443 - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v2 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml index 30b021ad..7fcbd622 100644 --- a/.github/workflows/kbanalysis.yml +++ b/.github/workflows/kbanalysis.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: repository: step-security/secure-repo diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 50e2bc1d..612258ea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,11 +17,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde with: egress-policy: audit - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: fetch-depth: 0 - name: Set up Go @@ -33,7 +33,7 @@ jobs: env: PAT: ${{ secrets.PAT }} - - uses: step-security/wait-for-secrets@1204ba02d7a707c4ef2e906d2ea1e36eebd9bbd2 + - uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef id: wait-for-secrets with: slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 7b43cb48..77d93859 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,12 +32,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: persist-credentials: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3ca6a98c..5f5d9702 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,7 +16,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: egress-policy: audit allowed-endpoints: > @@ -31,7 +31,7 @@ jobs: objects.githubusercontent.com:443 golang.org:443 - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go diff --git a/knowledge-base/actions/homebrew/actions/remove-disabled-formulae/action-security.yml b/knowledge-base/actions/homebrew/actions/remove-disabled-formulae/action-security.yml deleted file mode 100644 index 2ffad340..00000000 --- a/knowledge-base/actions/homebrew/actions/remove-disabled-formulae/action-security.yml +++ /dev/null @@ -1,2 +0,0 @@ -name: Remove disabled formulae # Homebrew/actions/remove-disabled-formulae -# GITHUB_TOKEN not used \ No newline at end of file