require-secret-scan-contents-read
Rule catalog ID: R107
Targeted pattern scopeโ
Jobs that use supported secret-scanning actions.
What this rule reportsโ
This rule reports secret-scanning jobs that do not have effective contents: read via either workflow-level or job-level permissions.
Why this rule existsโ
Secret-scanning workflows generally only need read access to repository contents. Making that permission explicit reinforces least privilege.
โ Incorrectโ
permissions:
contents: write
โ Correctโ
permissions:
contents: read
jobs:
scan:
permissions:
contents: read
Additional examplesโ
This rule is intentionally narrow and does not try to prescribe every other permission a secret-scanning workflow may or may not need.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.security];
When not to use itโ
Disable this rule if your scanner workflow runs in an unusual environment that truly does not need repository contents access.