Adjusted to max score with warning if job content are set to write (o…

…ssf#2355) Signed-off-by: Eddie Knight <[email protected]> Signed-off-by: Eddie Knight <[email protected]> Signed-off-by: nathaniel.wert <[email protected]>
N8BWert · Nov 28, 2022 · ac0d5e8 · ac0d5e8
1 parent 29ec537
commit ac0d5e8
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/checks/evaluation/permissions.go b/checks/evaluation/permissions.go
@@ -241,8 +241,9 @@ func calculateScore(result map[string]permissions) int {
 
  // contents.
  // Allows attacker to commit unreviewed code.
+ // Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
  // High risk: -10
- if permissionIsPresent(perms, "contents") {
+ if permissionIsPresentInTopLevel(perms, "contents") {
  score -= checker.MaxResultScore
  }
 

diff --git a/checks/permissions_test.go b/checks/permissions_test.go
@@ -251,7 +251,7 @@ func TestGithubTokenPermissions(t *testing.T) {
  filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-no-release.yaml"},
  expected: scut.TestReturn{
  Error: nil,
- Score: checker.MinResultScore,
+ Score: checker.MaxResultScore,
  NumberOfWarn: 1,
  NumberOfInfo: 1,
  NumberOfDebug: 4,