require-dependency-review-permissions-contents-read
Rule catalog ID: R092
Targeted pattern scopeโ
Workflows that use actions/dependency-review-action.
What this rule reportsโ
This rule reports jobs using the dependency review action that do not have effective contents: read via either workflow-level or job-level permissions.
Why this rule existsโ
Dependency review only needs repository contents read access. Requiring that explicit least-privilege permission keeps security posture reviewable and prevents drift toward broader token scope.
โ Incorrectโ
on: [pull_request]
jobs:
dependency-review:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/dependency-review-action@v4
โ Correctโ
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/dependency-review-action@v4
on: [pull_request]
jobs:
dependency-review:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/dependency-review-action@v4
Additional examplesโ
This rule complements require-workflow-permissions by enforcing the narrower security expectation specific to dependency review jobs without forcing that permission to live only at the workflow root.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.security];
When not to use itโ
Disable this rule only if a repository-local wrapper around dependency review genuinely needs broader permissions and that design has already been reviewed.