Skip to main content

GA-C009: Dangerous token scope combination

Warning Security

Why This Matters

Certain combinations of GITHUB_TOKEN write permissions create escalation paths. For example, `contents: write` + `actions: write` allows modifying workflow files AND triggering them, enabling self-modifying CI attacks. `id-token: write` combined with any write scope allows OIDC impersonation. Split dangerous combinations into separate jobs with minimal required permissions.

How to Fix

Use minimal required permission scopes. Split into separate jobs if different scopes needed.

Before (incorrect)

permissions:
  contents: write
  actions: write

After (correct)

jobs:
  build:
    permissions:
      contents: write
  deploy:
    permissions:
      actions: write

Rule Details

Rule Code
GA-C009
Severity
Warning
Category
Security

Related Rules

GA-L011 Error

Credentials leak
GA-L013 Error

Permissions error
GA-C001 Warning

Unpinned action version
GA-C002 Warning

Mutable action tag
GA-C003 Warning

Overly permissive permissions