Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Token-Permissions alert contains broken link #1386

Open
jasonkarns opened this issue Jun 2, 2024 · 4 comments
Open

Bug: Token-Permissions alert contains broken link #1386

jasonkarns opened this issue Jun 2, 2024 · 4 comments

Comments

@jasonkarns
Copy link

The description of this alert:

image

contains a link. The link generated is: https://app.stepsecurity.io/secureworkflow but the url is wrong and gets a 404.

image
@varunsh-coder
Copy link

Hi @jasonkarns I tried to repro this issue but I get a different URL which works fine.
You can see the url in the build log here: https://github.com/varunsh-coder/scorecard-action-1386/actions/runs/9454632039/job/26042617909#step:4:700

Can you please share link to a scorecard-action workflow run where you got this url?

@jasonkarns
Copy link
Author

The run is behind github's code scanning, which isn't part of the public Actions runs. It's under the private Security tab: https://github.com/nodenv/node-build/security/code-scanning/15

The link url is: https://app.stepsecurity.io/secureworkflow/github.com/nodenv/node-build/version.yml/main?enable=permissions

@spencerschrock
Copy link
Member

it seems an extra github.com is being inserted here, and must have been between v2.3.1 and v2.3.3 (which corresponds to v4.13.1 and v5.0.0-rc2 of scorecard), causing the link to 404.

@spencerschrock
Copy link
Member

spencerschrock commented Jul 10, 2024

I was looking at this briefly to see if it was something we could address before the next release this week, and I'm actually unable to replicate.

Copy/pasted from my security tab in a test repo:

.github/workflows/ref.yml:1
name: test ref
score is 0: no topLevel permission defined
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants