Class: Rules::UnscopedAppToken

Inherits:

Base

• Object
• Base
• Rules::UnscopedAppToken

Defined in:

lib/rules/unscoped_app_token.rb

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 7

def check(workflow)
    findings = []

    workflow.jobs.each do |_job_id, job|
        workflow.steps(job).each do |step|
            next unless step["uses"]&.include?("create-github-app-token")

            with = step["with"] || {}
            has_permissions = with.keys.any? { |k| k.start_with?("permission-") }

            unless has_permissions
                line = workflow.line_of(/create-github-app-token/)
                findings << finding(workflow,
                    line: line || 0,
                    message: "App token inherits blanket installation permissions",
                    fix: "Add permission-<name>: write inputs to scope the token"
                )
            end
        end
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 4

def description = "GitHub App token without scoped permissions"

#name ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 3

def name = "unscoped-app-token"

#severity ⇒ Object

# File 'lib/rules/unscoped_app_token.rb', line 5

def severity = :high