iac/actions/gha-permissions-write-all

Workflow grants write-all permissions

mediumGitHub Actionsiac-actions

What it detects

`permissions: write-all` (or the older default where no `permissions:` block is set) gives GITHUB_TOKEN full repo write access for every step, including any compromised action.

Remediation

Add an explicit `permissions:` block at the top of the workflow with only the scopes the jobs actually need (e.g. `contents: read`).

How it runs

Run against `.github/workflows/*.yml` files. Targets the published patterns behind real-world breaches (GhostAction, s1ngularity, tj-actions/changed-files).

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.