| Field | Value |
|---|---|
| Rule ID | slsa-build-l2-oidc-token-scope |
| Severity | MEDIUM |
| SLSA level | v1.2 Build L2 |
| Auto-fix | ✓ (what it does) |
What the check does
Fires on any job that uses one of:actions/attest-build-provenance@…/actions/attest@…sigstore/cosign-installer@…(or acosign signrun-line)- A reusable workflow call under
slsa-framework/slsa-github-generator/...
permissions: id-token: write either at the job level or
at the workflow level.
Why it matters
Sigstore’s keyless signing path mints a short-lived signing certificate from the workflow’s OIDC token. GitHub does not issue that token unless the job (or workflow) explicitly requestsid-token: write. Without the permission,
the signing step fails — and SLSA Build L2’s “signed provenance” requirement
is unmet.
Vulnerable example
Safe example
Auto-fix
--fix locates the job containing the offending signing step and:
- If the job already has a
permissions:mapping, appendsid-token: write(or upgrades an existingid-token: readentry). - If the job has a scalar
permissions:(e.g.read-all), replaces it with{ contents: read, id-token: write }. - If the job has no
permissions:block at all, adds one with{ contents: read, id-token: write }.
attestations: write — that’s only required for actions/attest* flows, and many signing jobs don’t need it. Add it manually if your tooling reports a missing-permission error after the fix.