Summary
The OpenSSF Scorecard Token-Permissions check flags GitHub Actions workflows in this repository that do not restrict the default GITHUB_TOKEN permissions.
Scorecard Warning
Warn: no topLevel permission defined: .github/workflows/antithesis-verify.yml:1
Proposed Fix
Add permissions: contents: read at the workflow level in antithesis-verify.yml. This follows the principle of least privilege and restricts the token to only reading repository contents.
Impact
- Improves the OpenSSF Scorecard
Token-Permissions score
- Follows security best practices by applying the principle of least privilege to CI/CD tokens
- No functional impact — the workflow only checks out code and runs Docker builds locally
References
Summary
The OpenSSF Scorecard
Token-Permissionscheck flags GitHub Actions workflows in this repository that do not restrict the defaultGITHUB_TOKENpermissions.Scorecard Warning
Proposed Fix
Add
permissions: contents: readat the workflow level inantithesis-verify.yml. This follows the principle of least privilege and restricts the token to only reading repository contents.Impact
Token-PermissionsscoreReferences