Policy as Code Permissions

[GeekMasher]

When running the policy-as-code as an GitHub Action or a CLI, you will need to make sure you have setup the correct permissions of your Access Token (Personal Access Token / PAT or GitHub App Token) for each application.

Here is a table which defines which permissions you'll need to get the data and alerts from GitHub.

Feature	Permission(s)	Note(s)
Code Scanning	security_events
Secret Scanning	security_events
Dependabot (main branch)	contents
Dependabot (pull request)	security_events
Licensing (main branch)	contents
Licensing (pull request)	security_events

Actions

In the case of Actions, you'll need to add the following:

permissions:
  contents: read
  security-events: read

Personal Access Token or GitHub App

When using a GitHub PAT or App, you'll need to make sure the following permissions are set:

This is a fine-grain PAT

[Pradoxzon]

The Pull Request comment functionality with the --pr-comment flag also requires read and write access to Pull Requests.

For fine-grain PAT and GitHub Apps:

[eidottermihi]

fyi - the table above says security_events- but it should be security-events (workflow example is correct, also see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions)