Summary
We need to refine our GitHub actions token permissions since they lead to CodeQL alerts (https://github.com/aws-powertools/powertools-lambda-java/security/code-scanning).
Example:
Token-Permissions
score is 9: jobLevel 'contents' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
Scorecard
Why is this needed?
This is needed to ensure least-privilege token use and scope down the permissions of our CI/CD pipeline to only the needed permissions.
Which area does this relate to?
Governance
Solution
No response
Acknowledgment
Summary
We need to refine our GitHub actions token permissions since they lead to CodeQL alerts (https://github.com/aws-powertools/powertools-lambda-java/security/code-scanning).
Example:
Why is this needed?
This is needed to ensure least-privilege token use and scope down the permissions of our CI/CD pipeline to only the needed permissions.
Which area does this relate to?
Governance
Solution
No response
Acknowledgment