Ensure the GitHub action created by Github has restrictions

GitHub action permissions are restricted with allowed_actions set to selected, and others will implement a whitelist security policy also for actions created by Github

Suggest Edits

Risk Level: medium
Platform: Github
Spectral Rule ID: GH-HRD016

REMEDIATION

Add restrictions to actions created by Github.

SaaS:

In the organization setting in the Github site:

Go to 'Actions'.
Go to 'General actions permissions'.
Select 'Allow and select , actions and reusable workflows'.
Click 'Allow actions created by GitHub' (should be marked).

https://docs.github.com/en/rest/actions/permissions#about-the-permissions-api

Updated about 1 year ago

REMEDIATION

Read more: