You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that the default permissions given as example in the docs or on the default template when you add the action to your repo are not sufficient on at least private repo's. I have not tested it on a public one.
It seems the default read-only permissions on workflow level has no influence anymore if job specific permissions are set.
I had to add the following to allow the action to run at all without erroring out:
# To allow GraphQL ListCommits to work
issues: read
pull-requests: read
Without these extra permissions it fails very fast with the following error:
Error: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
2023/08/17 09:37:40 error during command execution: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Also I noticed that without the permission
# To detect SAST tools
checks: read
The rule with ruleid SASTID is not working, it auto closes this security issue if I remove this permission.
Full workflow that works for us using the default GITHUB_TOKEN (no checks on branch protection or webhooks since that would require a PAT).
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '40 13 * * 1'
push:
branches: [ "develop" ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Uncomment the permissions below if installing in a private repository.
contents: read
actions: read
# To allow GraphQL ListCommits to work
issues: read
pull-requests: read
# To detect SAST tools
checks: read
steps:
- name: "Checkout code"
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: false
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
with:
sarif_file: results.sarif
The text was updated successfully, but these errors were encountered:
This permission example helped me lot to configure Scorecard in our GHES instance with a private repo. Should be definitely part of the documentation!!!
If someone is using a PAT and is getting the corresponding with the default config on a private repo:
Error: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token
I had to grant the following extra permissions to my fine grained PAT:
It seems that the default permissions given as example in the docs or on the default template when you add the action to your repo are not sufficient on at least private repo's. I have not tested it on a public one.
It seems the default read-only permissions on workflow level has no influence anymore if job specific permissions are set.
I had to add the following to allow the action to run at all without erroring out:
Without these extra permissions it fails very fast with the following error:
Also I noticed that without the permission
The rule with ruleid SASTID is not working, it auto closes this security issue if I remove this permission.
Full workflow that works for us using the default GITHUB_TOKEN (no checks on branch protection or webhooks since that would require a PAT).
The text was updated successfully, but these errors were encountered: