Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document minimum required permissions #388

Open
ericcornelissen opened this issue Nov 26, 2022 · 1 comment
Open

Document minimum required permissions #388

ericcornelissen opened this issue Nov 26, 2022 · 1 comment

Comments

@ericcornelissen
Copy link

I wanted to use anchore/sbom-action with the dependency-snapshot option but since I always use permissions: read-all (related docs) this didn't work immediately. Instead, the action failed (silently) with the error:

##[warning]Error uploading depdendency snapshot: {
  "url": "https://api.github.com/repos/ericcornelissen/js-regex-security-scanner/dependency-graph/snapshots",
  "status": 403,
  "headers": {
    "access-control-allow-origin": "*",
    "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset",
    "connection": "close",
    "content-encoding": "gzip",
    "content-security-policy": "default-src 'none'",
    "content-type": "application/json; charset=utf-8",
    "date": "Sat, 26 Nov 2022 10:11:03 GMT",
    "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
    "server": "GitHub.com",
    "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
    "transfer-encoding": "chunked",
    "vary": "Accept-Encoding, Accept, X-Requested-With",
    "x-content-type-options": "nosniff",
    "x-frame-options": "deny",
    "x-github-media-type": "github.v3; format=json",
    "x-github-request-id": "07C0:1127:61CD34E:C82A67F:6381E637",
    "x-ratelimit-limit": "100",
    "x-ratelimit-remaining": "99",
    "x-ratelimit-reset": "1669457523",
    "x-ratelimit-resource": "dependency_snapshots",
    "x-ratelimit-used": "1",
    "x-xss-protection": "0"
  },
  "data": {
    "message": "Resource not accessible by integration",
    "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository"
  }
}

From my testing, the required permissions for the dependency-snapshot option are:

permissions:
  content: write

I haven't tried out all other features, but based on their description I think anchore/sbom-action/publish-sbom would need the same permissions to be able to upload the SBOM to a GitHub Release.

I think it would be nice to have the minimum required permissions documented to allow users to easily use the minimum required permissions needed and follow the principle of least privilege.
@kzantow
Copy link
Contributor

kzantow commented Nov 26, 2022

Yes, good catch! We definitely need to make it clear which permissions are needed for which features.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kzantow @ericcornelissen