Added Avoiding Github id-token Default Values rule

Added negative test
julienbonastre · Mar 24, 2023 · 9a2c6a0 · 9a2c6a0
1 parent ccacecb
commit 9a2c6a0
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -266,6 +266,10 @@
           "description": "Avoiding LifecycleActionToken Var",
           "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
         },
+        {
+          "description": "Avoiding Github id-token Default Values",
+          "regex": "(?i)['\"]?id-token\\s*[:=]\\s*(write|read|none)\\s*$"
+        },
         {
           "description": "Avoiding result_token Var",
           "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"

diff --git a/assets/queries/common/passwords_and_secrets/test/negative52.yaml b/assets/queries/common/passwords_and_secrets/test/negative52.yaml
@@ -0,0 +1,51 @@
+name: Example Workflow
+
+on: workflow_call
+
+jobs:
+  build-deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+
+    runs-on: ubuntu
+
+    steps:
+      - uses: actions/checkout@v3
+
+---
+
+name: Example Workflow
+
+on: workflow_call
+
+jobs:
+  build-deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: read
+
+    runs-on: ubuntu
+
+    steps:
+      - uses: actions/checkout@v3
+
+---
+
+name: Example Workflow
+
+on: workflow_call
+
+jobs:
+  build-deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: none
+
+    runs-on: ubuntu
+
+    steps:
+      - uses: actions/checkout@v3