Harden GitHub Actions Workflow - hosted-network-filtering-hr.yml #198
Labels
Comments
Ramyromel
added a commit
to Ramyromel/github-actions-goat
that referenced
this issue
Jan 26, 2025
Fixes step-security#198 Add fine-grained permissions for GitHub tokens in multiple workflow files to enhance security by limiting access scope. * **Documentation Update** - Add a section on using fine-grained permissions for GitHub tokens in `docs/Solutions/FixGITHUB_TOKENPermissions.md`. - Include an example of setting `permissions: contents: read` in a workflow file. - Mention the importance of the principle of least privilege. * **Workflow Files Update** - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-network-filtering-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-file-monitor-with-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-file-monitor-without-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-https-monitoring-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-network-monitoring-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-network-without-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-codecov-simulation.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-secure-by-default.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-solarwinds-simulation.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-zero-effort-observability.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/baseline_checks.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/block-dns-exfiltration.yaml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/changed-files-vulnerability-with-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/changed-files-vulnerability-without-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/publish.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/self-hosted-file-monitor-with-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/self-hosted-network-filtering-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/self-hosted-network-monitoring-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/unexpected-outbound-calls.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/anomalous-outbound-calls.yaml`. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/step-security/github-actions-goat/issues/198?shareId=XXXX-XXXX-XXXX-XXXX).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
GitHub Token Permissions Are Not Set to Minimum in Workflow
Summary
The GitHub token permissions in your workflow file (.github/workflows/hosted-network-filtering-hr.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.
Why This is Important
Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.
Evidence of Excessive Permissions
For more context, please refer to the build log from your recent workflow run, which highlights the permissions granted to the GitHub token that exceed the recommended minimum.
Suggested Fix
Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:
```diff name: "Hosted: Network Filtering with Harden-Runner" on: pull_request: workflow_dispatch: + permissions: + contents: read jobs: build: runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@v2 with: disable-sudo: true egress-policy: block allowed-endpoints: > github.com:443 www.githubstatus.com:443 - uses: crazy-max/ghaction-github-status@v4 - uses: actions/checkout@v3 - run: | curl https://exfiltrationdemo.blob.core.windows.net/Next Steps
Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.
For further guidance, refer to the GitHub documentation on fine-grained permissions.
Severity: High
The text was updated successfully, but these errors were encountered: