Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

FieldValue
Rule IDslsa-build-l2-perms-overly-broad
SeverityHIGH
SLSA levelv1.2 Build L2
Auto-fix

What the check does

Fires when a workflow- or job-level permissions: block either:
  • Sets the scalar permissions: write-all, or
  • Declares four or more scopes all set to write (an exhaustive write map).

Why it matters

SLSA Build L2 hardening expects least privilege — only the scopes the workflow actually needs should be writable. write-all is strictly worse than the implicit default: it gives reviewers the impression that permissions have been considered when they haven’t been. This rule is the sibling of cicd-sec-5-missing-permissions: one fires on absence of a block, this one fires on excess.

Vulnerable example

name: ci
on: push
permissions: write-all              # ← antipattern
jobs:
  build:
    runs-on: ubuntu-latest
    steps: [{ run: ./build.sh }]

Safe example

name: ci
on: push
permissions:
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write              # ← only this job actually needs it
    steps: [{ run: ./publish.sh }]

Why no auto-fix

We can’t tell from YAML alone which scopes the workflow actually needs; arbitrarily downgrading would break builds. The recommendation is to start from contents: read and add scopes per-job as needed.