Least privilege for tokens

Always apply the principle of least privilege when configuring access tokens for CI/CD workflows and other automated processes. Use fine-grained tokens or permissions that grant only the minimum necessary access required for the specific operations.

copy reviewer prompt

Prompt

Reviewer Prompt
Deploy Agent

Always apply the principle of least privilege when configuring access tokens for CI/CD workflows and other automated processes. Use fine-grained tokens or permissions that grant only the minimum necessary access required for the specific operations.

For example, if a GitHub workflow only needs to trigger actions in a specific repository, limit the token’s scope to just that repository and only the “Actions (Read and write)” permission:

# Example GitHub workflow using fine-grained token
- name: Setup workflow
  uses: hashicorp/action-setup-bob@v1
  with:
    github-token: $
    # Token configured with:
    # - Access to only this specific repository
    # - Only Actions (Read and write) permission
    # - No other permissions granted

This reduces the security risk if tokens are ever compromised by limiting the potential impact of a security breach. When using service accounts or tokens in any context, document the exact permissions granted and regularly audit them to ensure they remain appropriate.

Source discussions