From b314331ed2838d33394635d85780354a45255aab Mon Sep 17 00:00:00 2001 From: Valera Satsura Date: Sat, 11 Jul 2026 16:50:28 +0300 Subject: [PATCH] Set least-privilege permissions on the scan workflow --- .github/workflows/scan.yml | 6 ++++++ README.md | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 26108d3..8a86d9b 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -17,6 +17,12 @@ # findings the change introduces. The existing backlog never blocks anyone. name: Cerberus +# Least privilege at the top level: Checkov (CKV2_GHA_1) flags a workflow that +# leaves it unset, and the scan job only ever reads. +permissions: + contents: read + packages: read + on: workflow_call: inputs: diff --git a/README.md b/README.md index 53ae185..67ec5b5 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,10 @@ include: **GitHub** — call the reusable workflow: ```yaml +permissions: + contents: read + packages: read + jobs: security: uses: startmatter/cerberus/.github/workflows/scan.yml@main