Class: Rules::UnscopedAppToken

Inherits:

Base

• Object
• Base
• Rules::UnscopedAppToken

Defined in:

lib/rules/unscoped_app_token.rb

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 7

def check(workflow)
  findings = []

  workflow.jobs.each do |_job_id, job|
    workflow.steps(job).each do |step|
      next unless step["uses"]&.include?("create-github-app-token")

      with = step["with"] || {}
      has_permissions = with.keys.any? { |k| k.start_with?("permission-") }

      unless has_permissions
        line = workflow.line_of(/create-github-app-token/)
        findings << finding(workflow,
          line: line || 0,
          message: "App token inherits blanket installation permissions",
          fix: "Add permission-<name>: write inputs to scope the token"
        )
      end
    end
  end

  findings
end

#description ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 4

def description = "GitHub App token without scoped permissions"

#name ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 3

def name = "unscoped-app-token"

#severity ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 5

def severity = :high