Merge pull request #2482 from step-security/fix-2479

Fix 2479

.github/workflows/automatePR.yml

@@ -17,11 +17,11 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           repository: step-security/secure-repo
 

.github/workflows/codeql.yml

@@ -41,12 +41,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/int.yml

@@ -15,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           fetch-depth: 0
       - name: Set up Go 

.github/workflows/kb-test.yml

@@ -14,7 +14,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v1
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           allowed-endpoints: >
             api.github.com:443
@@ -25,7 +25,7 @@ jobs:
             objects.githubusercontent.com:443
             golang.org:443
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up Go

.github/workflows/kbanalysis.yml

@@ -22,11 +22,11 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           repository: step-security/secure-repo
 

.github/workflows/release.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           fetch-depth: 0
       - name: Set up Go
@@ -33,7 +33,7 @@ jobs:
         env: 
           PAT: ${{ secrets.PAT }} 
 
-      - uses: step-security/wait-for-secrets@1204ba02d7a707c4ef2e906d2ea1e36eebd9bbd2
+      - uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef
         id: wait-for-secrets
         with:
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/scorecards.yml

@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           persist-credentials: false
 

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -31,7 +31,7 @@ jobs:
             objects.githubusercontent.com:443
             golang.org:443
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up Go

remediation/workflow/metadata/actionmetadata.go

@@ -30,6 +30,7 @@ type Step struct {
 type Job struct {
 	Permissions Permissions `yaml:"permissions"`
 	Uses        string      `yaml:"uses"`
+	Env         Env         `yaml:"env"`
 	// RunsOn      []string    `yaml:"runs-on"`
 	Steps []Step `yaml:"steps"`
 }

remediation/workflow/permissions/permissions.go

@@ -38,6 +38,7 @@ const errorMissingAction = "KnownIssue-4: Action %s is not in the knowledge base
 const errorAlreadyHasPermissions = "KnownIssue-5: Permissions were not added to the job since it already had permissions defined"
 const errorDockerAction = "KnownIssue-6: Action %s is a docker action which uses Github token. Docker actions that uses token are not supported"
 const errorReusableWorkflow = "KnownIssue-7: Action %s is a reusable workflow. Reusable workflows are not supported as of now."
+const errorGithubTokenInJobEnv = "KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable"
 const errorIncorrectYaml = "Unable to parse the YAML workflow file"
 
 // To avoid a typo while adding the permissions
@@ -78,6 +79,15 @@ func alreadyHasWorkflowPermissions(workflow metadata.Workflow) bool {
 	return workflow.Permissions.IsSet
 }
 
+func githubTokenInJobLevelEnv(job metadata.Job) bool {
+	for _, envValue := range job.Env {
+		if strings.Contains(envValue, "secrets.GITHUB_TOKEN") || strings.Contains(envValue, "github.token") {
+			return true
+		}
+	}
+	return false
+}
+
 func AddWorkflowLevelPermissions(inputYaml string, addProjectComment bool) (string, error) {
 	workflow := metadata.Workflow{}
 
@@ -177,6 +187,12 @@ func AddJobLevelPermissions(inputYaml string) (*SecureWorkflowReponse, error) {
 			continue
 		}
 
+		if githubTokenInJobLevelEnv(job) {
+			fixWorkflowPermsReponse.HasErrors = true
+			errors[jobName] = append(errors[jobName], errorGithubTokenInJobEnv)
+			continue
+		}
+
 		if metadata.IsCallingReusableWorkflow(job) {
 			fixWorkflowPermsReponse.HasErrors = true
 			errors[jobName] = append(errors[jobName], fmt.Sprintf(errorReusableWorkflow, job.Uses))

testfiles/joblevelpermskb/input/github-token-in-job-env.yml

@@ -0,0 +1,16 @@
+name: Job level env
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  job-with-error:
+    env:
+      GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: some step that uses token
+        run: |
+          npm ci

testfiles/joblevelpermskb/output/github-token-in-job-env.yml

@@ -0,0 +1 @@
+KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable