Skip to content

Comments

Create codeql.yml#76

Open
norwd wants to merge 3 commits intomainfrom
norwd-patch-1
Open

Create codeql.yml#76
norwd wants to merge 3 commits intomainfrom
norwd-patch-1

Conversation

@norwd
Copy link
Member

@norwd norwd commented Nov 26, 2024

No description provided.

@norwd norwd closed this Nov 26, 2024
@norwd norwd deleted the norwd-patch-1 branch December 3, 2024 01:07
@norwd norwd restored the norwd-patch-1 branch January 5, 2025 23:48
@norwd norwd reopened this Jan 5, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 17, 2025
View reviewed changes
.github/workflows/codeql.yml
Comment on lines +52 to +66
name: Dependency Scan
runs-on: ubuntu-latest
steps:
- name: "Checkout repository"
uses: actions/checkout@v4

- name: "Scan for dependencies"
uses: github/dependabot-action@v2
with:
sub-directory: "/"
open-pull-requests-limit: 5
package-ecosystem: "github-actions"
directory: "/"

secret-scan:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the problem, add a permissions block to the dependency-scan job in .github/workflows/codeql.yml. This block should grant only the minimal required permissions. Since the job only checks out code and runs a dependency scan, contents: read is sufficient. The permissions block should be added at the same indentation level as runs-on and steps within the dependency-scan job, ideally immediately after runs-on for clarity.

Suggested changeset 1
.github/workflows/codeql.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -51,6 +51,8 @@
   dependency-scan:
     name: Dependency Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: "Checkout repository"
       uses: actions/checkout@v4
EOF
@@ -51,6 +51,8 @@
dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: "Checkout repository"
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/codeql.yml
Comment on lines +67 to +74
name: "Secret Scan"
runs-on: ubuntu-latest
steps:
- name: "Checkout"
uses: actions/checkout@v4

- name: "Scan for secrets"
uses: github/secret-scanning@v2

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the problem, we should add a permissions block to the secret-scan job in .github/workflows/codeql.yml. This block should specify the minimal permissions required for the job to function correctly. Since the job only checks out code and runs a secret scanning action, it only needs read access to repository contents. Therefore, we should add permissions: contents: read under the secret-scan job, at the same indentation level as name and runs-on. No other changes are required.

Suggested changeset 1
.github/workflows/codeql.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -66,6 +66,8 @@
   secret-scan:
     name: "Secret Scan"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: "Checkout"
       uses: actions/checkout@v4
EOF
@@ -66,6 +66,8 @@
secret-scan:
name: "Secret Scan"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: "Checkout"
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@norwd