Token-Permissions Check

Key Insight

Job-level permissions minimize blast radius from compromised workflows.

Target: 10/10 by using job-level permission scoping

What it checks: Whether GitHub Actions workflows grant minimal permissions to each job.

Why it matters: Workflow-level permissions grant all jobs maximum access. If any job is compromised (via malicious dependency or workflow injection), attackers get write access to repository and secrets. Job-level permissions limit blast radius.

Quick Summary

Token-Permissions is extensively covered in existing documentation:

• Scorecard Compliance - Complete patterns with before/after examples
• Scorecard Workflow Examples - Production workflows demonstrating job-level permissions
• Tier 1 Progression - Quick wins including Token-Permissions fix

Core principle: Empty permissions at workflow level, grant minimal permissions per job.

Before: Workflow-Level Permissions

```yaml name: Release

permissions: contents: write # ALL jobs get this id-token: write # ALL jobs get this

jobs: test: runs-on: ubuntu-latest steps:

  - run: go test ./...  # Doesn't need write!

```bash Result: Token-Permissions alerts

After: Job-Level Permissions

```yaml name: Release

permissions: {} # Empty at workflow level

jobs: test: permissions: contents: read # Minimal for this job runs-on: ubuntu-latest steps:

  - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
  - run: go test ./...

```bash Result: Token-Permissions 10/10

Common Permission Patterns

Job Type	Required Permissions
Test	contents: read
Lint	contents: read
Build	contents: read
Release (upload assets)	contents: write
Signing (Cosign)	contents: write, id-token: write
SLSA provenance	actions: read, id-token: write, contents: write
PR comments	pull-requests: write, contents: read

Reference Documentation

For complete implementation details, see:

Scorecard Compliance → Token-Permissions

Covers:

• Before/after examples
• All common permission patterns
• Troubleshooting permission errors
• Bulk migration strategies

Scorecard Workflow Examples

Production workflows demonstrating:

• Multi-job workflows with job-level permissions
• SLSA provenance with correct permissions
• Release workflows with signing

Quick validation:

```bash

Check for workflow-level permissions

grep -r "^permissions:" .github/workflows/

Should see only "permissions: {}" at workflow level

Job-level permissions are indented under jobs

```bash Blog post: 16 Alerts Cleared Overnight - Real-world Token-Permissions mass fix

---

---

Related Content

Other Security Practices checks:

• Security-Policy - Vulnerability disclosure process
• CII-Best-Practices - OpenSSF Best Practices Badge
• Vulnerabilities - Known CVE detection and remediation
• Fuzzing - Automated fuzz testing

Detailed guides:

• Scorecard Compliance → Token-Permissions
• Scorecard Workflow Examples
• Tier 1 Progression

Blog posts:

• 16 Alerts Cleared Overnight

---

Token-Permissions is a quick win. Move permissions from workflow level to job level for least-privilege access.

Comments