Ensure the GitHub action created by Github has restrictions
GitHub action permissions are restricted with allowed_actions set to selected, and others will implement a whitelist security policy also for actions created by Github
Risk Level: medium
Platform: Github
Spectral Rule ID: GH-HRD016
REMEDIATION
Add restrictions to actions created by Github.
SaaS:
In the organization setting in the Github site:
- Go to 'Actions'.
- Go to 'General actions permissions'.
- Select 'Allow and select , actions and reusable workflows'.
- Click 'Allow actions created by GitHub' (should be marked).
Read more:
Updated over 1 year ago