Skip to content

Set least-privilege permissions on the scan workflow#9

Merged
satsura merged 1 commit into
mainfrom
fix/workflow-permissions
Jul 11, 2026
Merged

Set least-privilege permissions on the scan workflow#9
satsura merged 1 commit into
mainfrom
fix/workflow-permissions

Conversation

@satsura

@satsura satsura commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Cerberus flagged its own workflow: Checkov's CKV2_GHA_1 fires on a workflow that leaves top-level permissions unset, because the job then inherits whatever the repository default is.

Declares contents: read + packages: read — all the scan job ever needs — and shows the same in the README example, so every consumer repository inherits the fix instead of collecting the finding.

@satsura satsura merged commit 0b8173f into main Jul 11, 2026
3 checks passed
@satsura satsura deleted the fix/workflow-permissions branch July 11, 2026 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants