Lightning Talk: Automatically Restrict Permissions for the GITHUB Token

The importance of setting minimum permissions for the GITHUB token and how the open-source project SecureWorkflows can automatically restrict permissions for the token.

• GitHub Actions is a CI/CD platform with over 2 million workflows used by open-source projects, and each workflow gets a GITHUB token.
• Restricting permissions for the GITHUB token is recommended by GitHub and the Open Source Security Foundation (OSSF) Security Scorecards.
• Setting permissions for the token is difficult and time-consuming, as different GitHub Actions require different permissions.
• SecureWorkflows is an open-source project that can automatically set minimum permissions for the GITHUB token, based on a knowledge base of required permissions for common GitHub Actions.
• SecureWorkflows has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions.
• The importance of setting minimum permissions for the GITHUB token is illustrated by a story of a supply chain attack on the VS Code GitHub repository, where a security researcher was able to push a commit to a release branch using a GitHub Actions workflow and an injected token with content's right permission.

In January 2021, a security researcher was able to push a commit to a release branch of the VS Code GitHub repository using a GitHub Actions workflow and an injected token with content's right permission. This highlights the importance of setting minimum permissions for the GITHUB token, as well as the difficulty of doing so manually for each GitHub Action used in a workflow.

There are millions of open-source projects on GitHub. GitHub Actions is a CI/CD platform and there are over 2 million GitHub Actions workflows used by open-source projects.  Each GitHub Actions workflow gets a GITHUB token. Restricting permissions for this token is recommended by the GitHub Actions Hardening Guide and by Open Source Security Foundation (OSSF) Security Scorecards.  Setting permissions for this token is hard. There is a steep learning curve. Different GitHub Actions need different permissions, so developers must painfully research the correct permissions for each Action used in their workflow. Many developers are not aware of this token or that permissions can actually be restricted.  SecureWorkflows (https://github.com/step-security/secure-workflows) is an open-source project that enables automatic restriction of permissions for the GITHUB token. It has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions. This talk will discuss the importance of setting minimum permissions for the GITHUB token, share a real use case where the token was used to overwrite a release branch in Visual Studio Code’s GitHub repository, and give an overview & demo of the SecureWorkflows project.