Add additional prms for scorecard template for private repos(int -> main)

[shubham-stepsecurity]

@varunsh-coder

[step-security-bot]

Please find StepSecurity AI-CodeWise code comments below.

Code Comments

testfiles/addworkflow/expected-scorecards.yml

• [High]Do not grant unnecessary permissions
  The tokens are granting excessive permissions to the 'api' client. This can pose a security risk if the tokens are leaked, or otherwise used maliciously. Review and remove unnecessary permissions granted in the provided token.
• [Medium]Validate scopes in the access tokens
  The access token scopes need to be validated to ensure that the client application only has access to the minimum level of required resources. Ensure that the scopes embedded in the access token are limited to the necessary resources and permissions.
• [Medium]Use a specific scope instead of wildcard scope
  Using wildcard scope ('') in access token grants more permissions than needed, this could open up the application for unexpected risks. Define a specific scope instead of using wildcard ('') that grants only necessary permissions.
• [Medium]Assign minimum permission needed to the target
  The provided access tokens have too many permissions, including read and write access to certain resources. This permission model can lead unauthorized modification, resource or data access. Limit the permissions to the bare minimum needed to accomplish the target operation.
• [Low]Reduce token expiry interval
  The access tokens expire time is not defined. This can lead to risky situations where the tokens might be compromised and used maliciously. Set the token expiration interval to minimize the window of opportunity for a malicious actor to compromise an expired token.
• [Low]Use token revocation when needed
  No information on if the access tokens are being revoked after usage, which could lead to compromised tokens being used maliciously. Implement token revocation in your authentication solution when it is appropriate.
• [Low]Limit the lifetime of access tokens
  There is no reference to the lifespan of the access tokens, which can lead to risks associated with leaked tokens. Limit the lifespan of access tokens to minimize the window of opportunity for attackers in case these tokens are compromised.
• [Low]Restrict API reading permissions
  API application code needs to restrict read permissions to the bare minimum required by their intended use. Delete the issues and checks permissions from the provided API token.
• [Low]Limit PR permissions for GraphQL queries
  Limit the permissions for GraphQL queries that access Pull Request objects. Remove permission grant for 'pull-requests: read' in the api client token.
• [Low]Restrict actions permissions
  API applications code should restrict action permissions to the bare minimum required by their intended use. Delete 'actions: read' permission from the provided token.
• [Low]Avoid using personal access tokens
  The provided access tokens are personal access tokens that come with elevated privileges. This can pose a risk if the tokens are misused or fall into the wrong hands. Use short-lived tokens instead of personal access tokens and when private access token is needed, follow recommendations from the official documentation.

workflow-templates/scorecards.yml

• [High]Avoid exposing unnecessary permissions and actions to service accounts in CI/CD pipelines
  The service account configuration for CI/CD pipelines has unnecessary permissions that could potentially lead to unauthorized access to sensitive data or functionality. Remove the unnecessary permissions for service accounts.
• [Medium]Avoid using wildcard permissions in the configuration of service accounts
  The service account configuration for CI/CD pipelines has used wildcard () permissions which poses a risk to unauthorized access. Replace wildcard () permissions with specific permissions required for pipeline actions to reduce the attack surface.
• [Low]Avoid using outdated/insecure Kubernetes API versions
  The Kubernetes API version being used in the pipeline configuration is outdated and could have security vulnerabilities. Update the pipeline configuration to use the latest version of the Kubernetes API that is secure and stable.

Feedback

We appreciate your feedback in helping us improve the service! To provide feedback, please use emojis on this comment. If you find the comments helpful, give them a 👍. If they aren't useful, kindly express that with a 👎. If you have questions or detailed feedback, please create n GitHub issue in StepSecurity/AI-CodeWise.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.56%. Comparing base (8a372e9) to head (a294ca7).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2485   +/-   ##
=======================================
  Coverage   67.56%   67.56%           
=======================================
  Files          16       16           
  Lines        1292     1292           
=======================================
  Hits          873      873           
  Misses        332      332           
  Partials       87       87           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.