Skip to content

GitHub Actions have Read / Write permissions

Checks for GitHub organizations that grant GitHub Actions Read / Write permissions to the GitHub API.

Allowing GitHub Action Workflows to request tokens for GitHub API with elevated privileges that can perform write actions using the API (such as trigger other workflows or update contents in the repository) is a security risk. A Continuous Integration (CI) system, such as GitHub Action, should be designed and configured as securely as production systems. In fact, since built artifacts coming out of such system are often deployed automatically (CD / Continuous Deployment) any compromise of CI/CD will indirectly affect production as malicious code can end up in production.

Examples

Insecure Example

Insecure GitHub Action Configuration

Secure Example

Secure GitHub Action Configuration