GHA-SEC003Minimally Scoped Credentials
Problem Statement
GITHUB_TOKEN is granted all permissions by default.
Vulnerability
Privilege Escalation and Unauthorized Actions
Code Examples
Insecure Implementation
# No permissions blockSecure Implementation
permissions:
contents: read
issues: writeRemediation Steps
- Explicitly define the minimum required permissions in each workflow.
- Start with zero permissions and incrementally add only necessary ones.