Skip to content

Potential fix for code scanning alert no. 3: Workflow does not contain permissions#189

Closed
simonmarty wants to merge 2 commits intomainfrom
alert-autofix-3
Closed

Potential fix for code scanning alert no. 3: Workflow does not contain permissions#189
simonmarty wants to merge 2 commits intomainfrom
alert-autofix-3

Conversation

@simonmarty
Copy link
Copy Markdown
Contributor

@simonmarty simonmarty commented Apr 6, 2026

Potential fix for https://github.com/aws/aws-secretsmanager-agent/security/code-scanning/3

In general, this issue is fixed by explicitly declaring a permissions block in the workflow (either at the top level or per job) and setting it to the minimal scopes the workflow actually needs. For this Docker build workflow, the steps only need to read repository contents (for checkout); there is no need to write to the repo or interact with issues, PRs, or other resources, so contents: read is sufficient.

The best fix here is to add a job‑level permissions block under jobs.build (indented to align with strategy: and runs-on:) and set contents: read. This constrains the GITHUB_TOKEN used by this job without affecting other workflows. Concretely, edit .github/workflows/docker.yml and insert:

    permissions:
      contents: read

between the build: line and the strategy: line (or between runs-on: and steps:; both are valid, but we’ll place it immediately after build: for clarity). No additional methods, imports, or definitions are required because this is purely a YAML configuration change for GitHub Actions.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

simonmarty and others added 2 commits April 6, 2026 12:20
@simonmarty @github-advanced-security
Potential fix for code scanning alert no. 3: Workflow does not contai…
2af21c7 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Simon Marty <simon.marty@protonmail.com>
@simonmarty
Update docker.yml
10803d8 
Signed-off-by: Simon Marty <martysi@amazon.com>
@simonmarty simonmarty marked this pull request as ready for review April 6, 2026 19:20
@simonmarty simonmarty requested a review from a team as a code owner April 6, 2026 19:20
@simonmarty simonmarty enabled auto-merge (squash) April 6, 2026 19:20
@simonmarty simonmarty closed this Apr 6, 2026
auto-merge was automatically disabled April 6, 2026 19:21

Pull request was closed

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 6, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.14%. Comparing base (7932392) to head (10803d8).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #189   +/-   ##
=======================================
  Coverage   92.14%   92.14%           
=======================================
  Files          14       14           
  Lines        2405     2405           
  Branches     2405     2405           
=======================================
  Hits         2216     2216           
  Misses        143      143           
  Partials       46       46

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@simonmarty simonmarty deleted the alert-autofix-3 branch April 6, 2026 19:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simonmarty