Default GITHUB_TOKEN permissions are not not enough to fetch alerts

[roimor]

The README mentions that "For accessing the Code Scanning alert data, the action uses the GITHUB_TOKEN which is automatically created for you, so you don't need to provide it".

But in reality i had to manually create another PAT and use it like that for the actions to successfully fetch security alerts:

jobs:
jira-sync:
name: Jira Sync
runs-on: ubuntu-latest
steps:
- name: Sync alerts to Jira issues
uses: github/ghas-jira-integration@v1
with:
github_token: ${{ secrets.TEST_GITHUB_TOKEN }}
jira_token: ${{ secrets.JIRA_TOKEN }}
jira_url: 'https://apiseq.atlassian.net'
jira_user: '[email protected]'
jira_project: ${{ github.event.inputs.project }}
jira_labels: 'code-scanning'
sync_direction: 'gh2jira'

when not adding the manually created PAT i get the following error:
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.github.com/repos/neosec-com/neosec-frontend/secret-scanning/alerts?per_page=100

[ghost]

@roimor if you curl the endpoint with a run action and use ${{ secrets.GITHUB_TOKEN }} do you see the same behaviour? We may get some additional information with the verbose output.

EDIT: I appear to be running into the same problem now, I wonder when this behaviour changed 🤔

[cmboling]

The README was updated to reflect this issue. According to the list endpoint, you must be an admin of the repo/org and the token must have the security scope. https://docs.github.com/en/rest/reference/secret-scanning#list-secret-scanning-alerts-for-a-repository

That's why the PAT works and the permissions of the GITHUB_TOKEN doesn't. I believe this extends to users who were given access to the alerts by an admin too 🤔

[roimor]

@cmboling quoting from the README line 25-26:
"For accessing the Code Scanning alert data, the action uses the GITHUB_TOKEN which is automatically created for you, so you don't need to provide it"

... The docs are still misleading.

@AWNCypher indeed, before i opened this issue i tried running curl with the default token and run into the same problem.

[cmboling]

Ok I can clear up the docs, no problem!

@roimor are you an admin of the repo that you're testing?
If there's someone on your team who is an org owner or admin of the repo and can generate an access token with the security_events scope and save it as a secret, then the GHAS Jira integration workflow will pass. That would be the quick win here. Unfortunately the default GITHUB_TOKEN in Actions can't list the secret scanning alerts.

[roimor]

I am the org admin, and yes that is partially the workaround.. while you also need to be repository admin

[marvelous-melanie]

Dropping a comment here - we had this issue, and it wound up being that our org has SAML enforcement that prevented PATs even with full permissions from accessing org resources. You need to authorize the PAT specifically for this use case.

Also want to say that GH documents the ability to scope the Actions GITHUB_TOKEN to security-events but the default token did not appear to work even with that scope included.

It would probably be helpful if raise_for_status printed the error message.