Description
The ci.yml workflow has no permissions: block, so GITHUB_TOKEN receives the default repository permissions (typically contents: write, packages: write, etc.). This violates the principle of least privilege for a workflow that only needs to run cargo check/test/clippy/fmt.
The audit job also passes the token to a third-party action (rustsec/audit-check) with those elevated permissions.
Location
.github/workflows/ci.yml — top level
Suggested Fix
Add a restrictive top-level permissions block:
yaml permissions: contents: read
Severity
Low
Found by: Claude Opus security review
Description
The
ci.ymlworkflow has nopermissions:block, soGITHUB_TOKENreceives the default repository permissions (typicallycontents: write,packages: write, etc.). This violates the principle of least privilege for a workflow that only needs to runcargo check/test/clippy/fmt.The
auditjob also passes the token to a third-party action (rustsec/audit-check) with those elevated permissions.Location
.github/workflows/ci.yml— top levelSuggested Fix
Add a restrictive top-level permissions block:
yaml permissions: contents: readSeverity
Low
Found by: Claude Opus security review