Skip to content

Stop checkov from writing github_conf into the scanned repo#15

Merged
satsura merged 1 commit into
mainfrom
fix/checkov-workspace-pollution
Jul 14, 2026
Merged

Stop checkov from writing github_conf into the scanned repo#15
satsura merged 1 commit into
mainfrom
fix/checkov-workspace-pollution

Conversation

@satsura

@satsura satsura commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

actions/checkout has been failing on the SportsID self-hosted runners:

EACCES: permission denied, unlink '.../web-apps/github_conf/branch_protection_rules.json'

Checkov's github_configuration framework calls the GitHub API (a GITHUB_TOKEN is in the environment for PR comments) and dumps github_conf/ into the working directory. Our container runs as root over the mounted workspace, so the directory survives the scan owned by root — and the runner's user cannot delete it on the next checkout. That fails every workflow on that runner+repo, not only the scan: web-apps has had Security, PR Preview and CodeQL red since 13 July, and the scan that would have confirmed the jspdf/next fixes never ran.

  • skip the framework (it audits branch protection, which we do not act on)
  • restore workspace ownership after the scan, as a guard against any other scanner leaving root-owned files

The github_configuration framework dumps branch_protection_rules.json
into the working directory. The container runs as root over a mounted
workspace, so the file outlives the scan owned by root and the next
actions/checkout — running as the runner's user — cannot delete it and
fails every workflow on that runner.

Skip the framework, and hand the workspace back to its owner after the
scan as a guard.
@satsura
satsura merged commit 4e4788f into main Jul 14, 2026
3 checks passed
@satsura
satsura deleted the fix/checkov-workspace-pollution branch July 14, 2026 05:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants