-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #135 from stacklok/detect-actions-default-permissions
Add rule to detect GitHub Actions using default permissions
- Loading branch information
Showing
1 changed file
with
74 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| version: v1 | ||
| type: rule-type | ||
| name: actions_check_default_permissions | ||
| severity: | ||
| value: medium | ||
| context: | ||
| provider: github | ||
| description: Alerts on default GitHub Actions permissions | ||
| guidance: | | ||
| Ensure that GitHub Actions have permissions specified. | ||
| The default permissions for GitHub Actions allow broad access to the repository, | ||
| including the ability to update repo contents, approve pull requests, and update | ||
| releases, packages, and deployments. To limit these permissions, specify | ||
| permissions explicitly either in the top level of the workflow file, or for each | ||
| job in the workflow. | ||
| For more information, see | ||
| https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | ||
| def: | ||
| in_entity: repository | ||
| # Defines the schema for writing a rule with this rule being checked | ||
| rule_schema: | ||
| type: object | ||
| properties: {} | ||
| # Defines the configuration for ingesting data relevant for the rule | ||
| ingest: | ||
| type: git | ||
| git: {} | ||
| # Defines the configuration for evaluating data ingested against the given profile | ||
| # This example checks that in each file there exists either a top-level permissions | ||
| # block or that each job in the file has its own permissions block. | ||
| eval: | ||
| type: rego | ||
| rego: | ||
| type: deny-by-default | ||
| def: | | ||
| package minder | ||
| import rego.v1 | ||
| default allow := false | ||
| # List all workflows | ||
| workflows := file.ls("./.github/workflows") | ||
| # Read all workflows | ||
| allow if { | ||
| every filename in workflows { | ||
| workflowstr := file.read(filename) | ||
| workflow := yaml.unmarshal(workflowstr) | ||
| permissions_ok(workflow) | ||
| } | ||
| } | ||
| permissions_ok(workflow) if { | ||
| count(workflow.permissions) >= 0 | ||
| } | ||
| permissions_ok(workflow) if { | ||
| every job in workflow.jobs { | ||
| count(job.permissions) >= 0 | ||
| } | ||
| } | ||
| # We don't have a remediation method in place yet. | ||
|
|
||
| # Defines the configuration for alerting on the rule | ||
| alert: | ||
| type: security_advisory | ||
| security_advisory: {} |