Class: Rules::ExcessivePermissions

Inherits:
Base
  • Object
show all
Defined in:
lib/rules/excessive_permissions.rb

Constant Summary collapse

WRITE_ACTIONS =

Actions that perform write operations

[
    /peter-evans\/create-pull-request/,
    /stefanzweifel\/git-auto-commit-action/,
    /ad-m\/github-push-action/,
    /EndBug\/add-and-commit/,
].freeze
WRITE_COMMANDS =

Run commands that require write access

[
    /\bgit\s+push\b/,
    /\bgh\s+pr\s+create\b/,
    /\bgh\s+pr\s+merge\b/,
    /\bgh\s+pr\s+comment\b/,
    /\bgh\s+pr\s+review\b/,
    /\bgh\s+release\s+create\b/,
    /\bgh\s+api\b/,
].freeze

Instance Method Summary collapse

Instance Method Details

#check(workflow) ⇒ Object 



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/rules/excessive_permissions.rb', line 26

def check(workflow)
    findings = []

    workflow.jobs.each do |job_id, job|
        job_perms = workflow.permissions(scope: :job, job: job)
        next unless job_perms.is_a?(Hash)
        next unless job_perms["contents"] == "write"

        steps = workflow.steps(job)
        next if has_write_operations?(steps)

        line = workflow.line_of(/^\s+#{Regexp.escape(job_id)}:/)
        findings << finding(workflow,
            line: line || 0,
            code: "#{job_id}: permissions: contents: write",
            message: "This job has contents: write permission but no steps that appear to need it",
            fix: "This job has write permissions but no steps that appear to need them. Consider restricting to contents: read."
        )
    end

    findings
end

#descriptionObject 



4
 
# File 'lib/rules/excessive_permissions.rb', line 4

def description = "Job has write permissions but no steps that appear to need them"

#nameObject 



3
 
# File 'lib/rules/excessive_permissions.rb', line 3

def name = "excessive-permissions"

#severityObject 



5
 
# File 'lib/rules/excessive_permissions.rb', line 5

def severity = :medium