Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#23

Merged
jonaslejon merged 1 commit into
mainfrom
alert-autofix-1
Apr 6, 2026
Merged

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#23
jonaslejon merged 1 commit into
mainfrom
alert-autofix-1

Conversation

@jonaslejon

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/jonaslejon/malicious-pdf/security/code-scanning/1

To fix this, explicitly declare restricted GITHUB_TOKEN permissions for the workflow or the semgrep job. Since this workflow only checks out code and runs Semgrep, it only needs read access to repository contents. The minimal fix is to set permissions: contents: read at the workflow level so it applies to all jobs (there is only semgrep), satisfying CodeQL and implementing least privilege.

The best fix without changing functionality is to add a top-level permissions: block between the name: Semgrep line and the jobs: block in .github/workflows/semgrep.yml. This will ensure all jobs get a read-only token, while actions/checkout@v3 continues to function correctly, because it only needs contents: read for read-only checkouts. No imports or external libraries are involved; only the YAML structure is updated.

Concretely:

  • In .github/workflows/semgrep.yml, insert:
permissions:
  contents: read
  • Place it after name: Semgrep (line 12) and before jobs: (line 13).
    No other changes are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@jonaslejon jonaslejon marked this pull request as ready for review April 6, 2026 19:46
@jonaslejon jonaslejon merged commit f0bc4a0 into main Apr 6, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant