H3-2025-0006¶

GitHub Actions Excessive Permissions

Description¶

GitHub Actions workflows are configured with specific permissions to carry out designated tasks, and every job within a workflow automatically inherits these permissions. When a workflow is granted broad, excessive permissions, it expands the potential attack surface. Malicious actors can target the workflow or any of its jobs (even those that don't actually need such privileges) to execute unauthorized actions, potentially compromising repository integrity or accessing sensitive data.

Impact¶

An attacker may exploit this weakness to obtain code execution or steal sensitive information.

References¶

• Zizmor Documentation
• MITRE ATT&CK Technique: T1078: Valid Accounts