Skip to content

Document minimum required permissions #388

New issue
New issue
Open
Open
Document minimum required permissions#388
Labels
documentationImprovements or additions to documentationhelp wantedExtra attention is neededneeds-research
@ericcornelissen

Description

@ericcornelissen
ericcornelissen
opened on Nov 26, 2022

I wanted to use anchore/sbom-action with the dependency-snapshot option but since I always use permissions: read-all (related docs) this didn't work immediately. Instead, the action failed (silently) with the error:

##[warning]Error uploading depdendency snapshot: {
  "url": "https://api.github.com/repos/ericcornelissen/js-regex-security-scanner/dependency-graph/snapshots",
  "status": 403,
  "headers": {
    "access-control-allow-origin": "*",
    "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset",
    "connection": "close",
    "content-encoding": "gzip",
    "content-security-policy": "default-src 'none'",
    "content-type": "application/json; charset=utf-8",
    "date": "Sat, 26 Nov 2022 10:11:03 GMT",
    "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
    "server": "GitHub.com",
    "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
    "transfer-encoding": "chunked",
    "vary": "Accept-Encoding, Accept, X-Requested-With",
    "x-content-type-options": "nosniff",
    "x-frame-options": "deny",
    "x-github-media-type": "github.v3; format=json",
    "x-github-request-id": "07C0:1127:61CD34E:C82A67F:6381E637",
    "x-ratelimit-limit": "100",
    "x-ratelimit-remaining": "99",
    "x-ratelimit-reset": "1669457523",
    "x-ratelimit-resource": "dependency_snapshots",
    "x-ratelimit-used": "1",
    "x-xss-protection": "0"
  },
  "data": {
    "message": "Resource not accessible by integration",
    "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository"
  }
}

From my testing, the required permissions for the dependency-snapshot option are:

permissions:
  content: write

I haven't tried out all other features, but based on their description I think anchore/sbom-action/publish-sbom would need the same permissions to be able to upload the SBOM to a GitHub Release.

I think it would be nice to have the minimum required permissions documented to allow users to easily use the minimum required permissions needed and follow the principle of least privilege.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationhelp wantedExtra attention is neededneeds-research

    Type

    No type

    Projects

    OSS

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions