ci: harden security-scanning workflows (Scorecard code-scanning alerts)#259
Open
seonghobae wants to merge 2 commits into
Open
ci: harden security-scanning workflows (Scorecard code-scanning alerts)#259seonghobae wants to merge 2 commits into
seonghobae wants to merge 2 commits into
Conversation
…pinned actions) Resolves the OPEN Scorecard code-scanning alerts that point at workflow files by applying the secure fix directly (repo already SHA-pins other actions; these were the gaps). Token-Permissions (least-privilege GITHUB_TOKEN): - Alert #5 security-process.yml: drop top-level `security-events: write` and `actions: read`; grant `security-events: write`/`actions: read` only on the trivy-fs job that uploads SARIF. appguardrail-scan keeps `contents: read`. - Alerts #3, #4 prepare-pypi-release.yml: top-level token reduced to `contents: read`; `actions: write`/`contents: write`/`pull-requests: write` moved to the single prepare-release job (all are required by its dispatch/commit/PR steps). Pinned-Dependencies (pin actions by commit SHA): - Alert #7 security-process.yml: aquasecurity/trivy-action v0.36.0 -> ed142fd0673e97e23eac54620cfb913e5ce36c25 - Alert #8 security-process.yml: github/codeql-action/upload-sarif v4 -> 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 (v4.37.0) - Alert #6 org-security-failure-collector.yml: actions/create-github-app-token v3 -> bcd2ba49218906704ab6c1aa796996da409d3eb1 (v3.2.0) These alerts auto-close on the next Scorecard run against develop. No runtime/Python code changed; workflow behaviour is unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates the OPEN Scorecard code-scanning alerts that point at workflow files in this repo by applying the secure fix directly. The repo already SHA-pins its other actions and uses least-privilege tokens elsewhere — these were the remaining gaps. No runtime/Python code changed; workflow behaviour is unchanged.
Alerts fixed in code (auto-close on next Scorecard scan of
develop)Token-Permissions (least-privilege
GITHUB_TOKEN)security-process.yml— removed top-levelsecurity-events: write/actions: read; those write/read scopes now live only on thetrivy-fsjob that uploads SARIF.appguardrail-scankeepscontents: read._collect_files#4, 🧪 Add test for_scan_fileerror handling #3prepare-pypi-release.yml— top-level token reduced tocontents: read;actions: write/contents: write/pull-requests: writemoved to the singleprepare-releasejob (each is required by its dispatch / commit-push / PR steps).Pinned-Dependencies (pin actions by commit SHA)
security-process.yml—aquasecurity/trivy-actionv0.36.0 →ed142fd0673e97e23eac54620cfb913e5ce36c25security-process.yml—github/codeql-action/upload-sarifv4 →99df26d4f13ea111d4ec1a7dddef6063f76b97e9(v4.37.0)org-security-failure-collector.yml—actions/create-github-app-tokenv3 →bcd2ba49218906704ab6c1aa796996da409d3eb1(v3.2.0)Not addressed here (org/admin policy, not code — central config/tooling)
These Scorecard findings are repository/organization settings or opinionated policy and cannot be fixed by a code change in this repo:
None are false positives, so none were dismissed.
🤖 Generated with Claude Code