In this post, I introduce two practices to improve GitHub Actions security and a CLI for them.
Practices:
- Only minimum
permissions
should be set per job. The defaultpermissions
should not be used, andpermissions
othar than{}
should not be set to workflow -
secrets
should be set per step and should not be set to job and workflow
These practices are primary and not unique, but many workflows don't conform to them.
Almost workflows depend on tools such as reusable workflows, actions, and CLIs, so they always have risks that malicious codes are executed via tampered dependent tools.
So it is essential to minimize the damage by restricting GITHUB_TOKEN
's permissions
and the scope of secrets
, even if malicious codes are executed .
GITHUB_TOKEN
has too strong permissions by default, so you should set minimum permissions
explicitly.
permissions
all jobs require should not be set to workflows because unnecessary permissions are given to jobs.
read-all
and write-all
permissions should not be used because they are too strong.
You can use the following syntax to disable permissions for all of the available scopes:
permissions: {}
secrets
should not be set to workflows or jobs' env
because steps that don't need those secrets
can also access them.
ghalint - Check if workflows conform to practices
I've developed a CLI to check if workflows conform to above practices.
https://github.com/suzuki-shunsuke/ghalint
About the usage, please see the document.
Top comments (0)