From 0e2a006738b83cbcb7b2bd70490651f39018ec65 Mon Sep 17 00:00:00 2001 From: Shubham Malik Date: Fri, 30 May 2025 04:39:32 +0530 Subject: [PATCH] fix: add package read permission for container jobs --- remediation/workflow/permissions/permissions.go | 8 ++++++++ remediation/workflow/secureworkflow_test.go | 1 + testfiles/secureworkflow/output/container-job.yml | 3 +++ 3 files changed, 12 insertions(+) diff --git a/remediation/workflow/permissions/permissions.go b/remediation/workflow/permissions/permissions.go index 018eea47..d1c8e964 100644 --- a/remediation/workflow/permissions/permissions.go +++ b/remediation/workflow/permissions/permissions.go @@ -209,6 +209,7 @@ func AddJobLevelPermissions(inputYaml string, addEmptyTopLevelPermissions bool) jobState := &JobState{} jobState.WorkflowEnv = workflow.Env + jobState.IsContainerJob = (job.Container.Image != "") perms, err := jobState.getPermissions(job.Steps) if err != nil { @@ -369,6 +370,8 @@ type JobState struct { MissingActions []string Errors []error ActionPermissions *metadata.ActionPermissions + + IsContainerJob bool // true if the job is running in a container } func evaluateEnvironmentVariables(step metadata.Step) string { @@ -519,6 +522,11 @@ func (jobState *JobState) getPermissionsForRunStep(step metadata.Step) ([]Permis func (jobState *JobState) getPermissions(steps []metadata.Step) ([]string, error) { permissions := []string{} + // If the job is a container job, we need to add packages: read permission + if jobState.IsContainerJob { + permissions = append(permissions, fmt.Sprintf("%s # for container job", packages_read)) + } + for _, step := range steps { if step.Uses != "" { // it is an action diff --git a/remediation/workflow/secureworkflow_test.go b/remediation/workflow/secureworkflow_test.go index bcb99099..04761237 100644 --- a/remediation/workflow/secureworkflow_test.go +++ b/remediation/workflow/secureworkflow_test.go @@ -333,6 +333,7 @@ func TestSecureWorkflowContainerJob(t *testing.T) { queryParams := make(map[string]string) queryParams["skipHardenRunnerForContainers"] = "true" queryParams["addProjectComment"] = "false" + queryParams["addPermissions"] = "true" output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}) diff --git a/testfiles/secureworkflow/output/container-job.yml b/testfiles/secureworkflow/output/container-job.yml index 9ec39b1b..3bfade61 100644 --- a/testfiles/secureworkflow/output/container-job.yml +++ b/testfiles/secureworkflow/output/container-job.yml @@ -9,6 +9,9 @@ permissions: jobs: test: + permissions: + contents: read # for actions/checkout to fetch code + packages: read # for container job runs-on: ubuntu-latest container: image: cgr.dev/chainguard/wolfi-base@sha256:91ed94ec4e72368a9b5113f2ffb1d8e783a91db489011a89d9fad3e3816a75ba