Excessive GITHUB_TOKEN permissions¶
Rule ID |
|
|---|---|
Category |
security |
Severity |
critical |
Workflow uses permissions: write-all or does not restrict token scope. The GITHUB_TOKEN should follow least privilege — declare only the permissions actually needed.
Detection¶
static_analysis — Checks field presence or value in the workflow YAML.
Examples¶
Non-compliant:
permissions: write-all
jobs:
build:
steps:
- uses: actions/checkout@v4
- run: npm run build
Compliant:
permissions: {}
jobs:
build:
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- run: npm run build
Fix: Replace write-all with a minimal permissions block declaring only the scopes the workflow actually needs. Set permissions: {} at the workflow level and add per-job overrides.