Skip to content

Potential fix for code scanning alert no. 5: Workflow does not contain permissions#212

Merged
Novaes merged 1 commit into
mainfrom
users/mnovaes/add-workflow-required-permission
Jul 8, 2025
Merged

Potential fix for code scanning alert no. 5: Workflow does not contain permissions#212
Novaes merged 1 commit into
mainfrom
users/mnovaes/add-workflow-required-permission

Conversation

@Novaes

@Novaes Novaes commented Jul 8, 2025

Copy link
Copy Markdown
Collaborator

Potential fix for https://github.com/microsoft/azure-devops-mcp/security/code-scanning/5

To fix the issue, we need to add the permissions key to the workflow file. Since the workflow does not require write access to the repository, we can set the permissions to contents: read. This will limit the access of the GITHUB_TOKEN to read-only for repository contents, ensuring the workflow adheres to the principle of least privilege.

The permissions key should be added at the root level of the workflow file to apply to all jobs (build and static-code-analysis) unless overridden by a specific job.


Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 8, 2025

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@Novaes Novaes marked this pull request as ready for review July 8, 2025 17:47
@Novaes Novaes merged commit 495f39a into main Jul 8, 2025
8 of 10 checks passed
@danhellem danhellem deleted the users/mnovaes/add-workflow-required-permission branch August 13, 2025 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants