Skip to content

security-events: write permission declared but unused #91

New issue
New issue
Open
Open
security-events: write permission declared but unused#91
Labels
ci-cdCI/CD & release pipelineinfoNice to have improvement
@robocopklaus

Description

@robocopklaus
robocopklaus
opened on Feb 15, 2026

Description

The `build_and_publish` job declares `security-events: write` permission but no SARIF upload or security scanning step exists in the workflow.

File(s)

  • `.github/workflows/release.yml` (line 81)

Evidence

```yaml
permissions:
contents: read
packages: write
security-events: write # Unused
```
The scan build loads an image but never runs a scanner.

Recommendation

Either:

  1. Remove the unused permission (principle of least privilege), OR
  2. Add a Trivy or Grype scanning step after the scan build

Risk if Ignored

Unused permissions create a false sense of security scanning. Minor security debt.

Found by: CI/CD & Release Pipeline Specialist (Agent 3) | Reviewed by: Critique Agent

Metadata

Metadata

Assignees

No one assigned

    Labels

    ci-cdCI/CD & release pipelineinfoNice to have improvement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions