Skip to main content

GA-C003: Overly permissive permissions

Warning Security

Why This Matters

Using `permissions: write-all` grants the GITHUB_TOKEN write access to every scope (contents, packages, actions, etc.). If the workflow is compromised via script injection or a malicious action, the attacker gains write access to the entire repository. Always specify the minimum required permissions per scope.

How to Fix

Replace write-all with specific scope permissions

Before (incorrect)

permissions: write-all

After (correct)

permissions:
  contents: read
  pull-requests: write

Rule Details

Rule Code
GA-C003
Severity
Warning
Category
Security

Related Rules

GA-L011 Error

Credentials leak
GA-L013 Error

Permissions error
GA-C001 Warning

Unpinned action version
GA-C002 Warning

Mutable action tag
GA-C005 Warning

Script injection risk