June 21-24, 2022
Austin, Texas, USA + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central Daylight Time (UTC -5). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Thursday, June 23 • 5:55pm - 6:05pm
Lightning Talk: Automatically Restrict Permissions for the GITHUB Token - Varun Sharma, StepSecurity

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
There are millions of open-source projects on GitHub. GitHub Actions is a CI/CD platform and there are over 2 million GitHub Actions workflows used by open-source projects.  

Each GitHub Actions workflow gets a GITHUB token. Restricting permissions for this token is recommended by the GitHub Actions Hardening Guide and by Open Source Security Foundation (OSSF) Security Scorecards.  

Setting permissions for this token is hard. There is a steep learning curve. Different GitHub Actions need different permissions, so developers must painfully research the correct permissions for each Action used in their workflow. Many developers are not aware of this token or that permissions can actually be restricted.  

SecureWorkflows (https://github.com/step-security/secure-workflows) is an open-source project that enables automatic restriction of permissions for the GITHUB token. It has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions. 

This talk will discuss the importance of setting minimum permissions for the GITHUB token, share a real use case where the token was used to overwrite a release branch in Visual Studio Code’s GitHub repository, and give an overview & demo of the SecureWorkflows project.

avatar for Varun Sharma

Varun Sharma

Founder & CEO, StepSecurity
Varun Sharma is the founder of StepSecurity, a cybersecurity startup to thwart software supply chain attacks. Before starting StepSecurity, Varun was a Principal Security Software Engineering Manager at Microsoft, where he led the Green Team, with a charter to solve high-risk, systemic... Read More →

Thursday June 23, 2022 5:55pm - 6:05pm CDT
Lone Star G (Level 3)