Why does zizmor need a Github Token ? #1498
-
|
Why does zizmor need a github token to realize online audits, why zizmor doesn't just use the token from github actions to perform the fetches in other repositories ? Feels insecure to provide a powerfull token without exactly what is being done with it. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Can you elaborate? That's exactly what it does by default when you use the GitHub action: https://docs.zizmor.sh/integrations/#via-zizmorcorezizmor-action Observe that there are no custom tokens in the setup, only the default runner token (which we intentionally scope down to a limited set of permissions).
Yes, you should not give zizmor a more powerful token than it needs. Those needs are documented here and roughly correspond to read-only access: https://docs.zizmor.sh/usage/#github-api-token-permissions Did another resource online tell you to use more permissive credentials than the one above? |
Beta Was this translation helpful? Give feedback.
Can you elaborate? That's exactly what it does by default when you use the GitHub action:
https://docs.zizmor.sh/integrations/#via-zizmorcorezizmor-action
Observe that there are no custom tokens in the setup, only the default runner token (which we intentionally scope down to a limited set of permissions).
Yes, you should not give zizmor a more powerful token than it needs. Those needs are documented here and roughly correspond to read-only access:
https://docs.zizmor.sh/usage/#github-api-token-β¦