step-security/secure-repo

Harden GitHub Actions Workflow - int.yml

Closed this issue · 0 comments

GitHub Token Permissions Are Not Set to Minimum in Workflow

Summary

The GitHub token permissions in your workflow file (.github/workflows/int.yml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.

Why This is Important

Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.

Evidence of Excessive Permissions

For more context, please refer to the build log from your recent workflow run, which highlights the permissions granted to the GitHub token that exceed the recommended minimum.

Suggested Fix

Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:

```diff
  name: Cfnrelease-int
  on:
    push: 
      branches:    
       - int
      
  permissions:  # added using https://github.com/step-security/secure-repo
    contents: read
  jobs:
    publish-test:
      permissions:
        contents: read
      runs-on: ubuntu-latest
      steps:
        - name: Harden Runner
          uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
          with:
            egress-policy: audit
        - name: Checkout
          uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
          with:
            fetch-depth: 0
        - name: Set up Go 
          uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
          with:
            go-version: 1.17
        - name: Configure AWS Credentials
          uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e
          with:
            aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_INT }}  
            aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_INT }}
            aws-region: us-west-2
        
        - run: go test ./...  -coverpkg=./...
          env: 
            PAT: ${{ secrets.PAT }}
        
        - name: Deploy to AWS CloudFormation
          uses: aws-actions/aws-cloudformation-github-deploy@72bea2c93ca6be253b71b5966ecde13f9e8af2d4
          with:
            name: secure-workflow-api-ecr
            template: cloudformation/ecr.yml
            parameter-overrides: "ResourceName=secure-workflow-api"
            no-fail-on-empty-changeset: "1"
        
        - name: Login to Amazon ECR
          id: login-ecr
          uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2
        - name: Build, tag, and push image to Amazon ECR
          env:
            ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
            ECR_REPOSITORY: secure-workflow-api
            IMAGE_TAG: ${{ github.sha }}
          run: |
            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
            docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
        
        - name: Deploy to AWS CloudFormation
          uses: aws-actions/aws-cloudformation-github-deploy@72bea2c93ca6be253b71b5966ecde13f9e8af2d4
          with:
            name: secure-workflow-api
            template: cloudformation/resources.yml
            parameter-overrides: >-
              ResourceName=secure-workflow-api,
              ImageTag=${{ github.sha }},
              PAT=${{ secrets.PAT }}            
            no-fail-on-empty-changeset: "1"
        
          

Next Steps

Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.

For further guidance, refer to the GitHub documentation on fine-grained permissions.

Severity: High