From f0a2ae9ff3065fc8f5b6892436a7a5ce564eeb66 Mon Sep 17 00:00:00 2001 From: Tom Fifield Date: Fri, 7 Mar 2025 08:52:54 +0800 Subject: [PATCH] Give Semgrep permission to write its report (#6253) Previously semgrep had read-all permission. This patch limits read slightly and adds write permissions to security-events. --- .github/workflows/sec_sast_semgrep_cron.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sec_sast_semgrep_cron.yml b/.github/workflows/sec_sast_semgrep_cron.yml index 944103562..a7cd7fa24 100644 --- a/.github/workflows/sec_sast_semgrep_cron.yml +++ b/.github/workflows/sec_sast_semgrep_cron.yml @@ -6,7 +6,10 @@ on: schedule: - cron: 0 1 * * 6 -permissions: read-all +permissions: + actions: read + contents: read + security-events: write jobs: semgrep-full: