From 2a8da611f611789a8160ec8392344d76fce67815 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Thu, 31 Oct 2024 13:27:33 -0500
Subject: [PATCH] Address token and security policy OpenSSF findings

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 .github/workflows/release.yaml |  6 ++++--
 .github/workflows/style.yaml   |  3 +++
 .github/workflows/version.yaml |  8 +++++---
 SECURITY.md                    | 19 +++++++++++++++++++
 4 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 65b137f92..462fd5772 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -4,8 +4,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  id-token: write
-  contents: write
+  contents: read
 
 env:
   VERSION_FILE: pkg/version/version.go
@@ -14,6 +13,9 @@ jobs:
   tag:
     if: ${{ github.repository }} == 'chainguard-dev/malcontent'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
     - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
       with:
diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
index 67af38501..988cb654e 100644
--- a/.github/workflows/style.yaml
+++ b/.github/workflows/style.yaml
@@ -3,6 +3,9 @@
 
 name: Code Style
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml
index 492e78b98..dc903fe39 100644
--- a/.github/workflows/version.yaml
+++ b/.github/workflows/version.yaml
@@ -9,9 +9,7 @@ on:
         default: 'minor'
 
 permissions:
-  contents: write
-  id-token: write
-  pull-requests: write
+  contents: read
 
 env:
   VERSION_FILE: pkg/version/version.go
@@ -20,6 +18,10 @@ jobs:
   version:
     if: ${{ github.repository }} == 'chainguard-dev/malcontent'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
     steps:
     - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
       with:
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..150251f78
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# `malcontent` Security Policy
+
+## Reporting Security Issues
+
+Security issues or vulnerabilities can be reported in one of two ways:
+- By emailing `security@chainguard.dev`
+- By reporting a finding privately via https://github.com/chainguard-dev/malcontent/security/advisories/new
+
+## Addressing Security Issues
+
+Security issues or vulnerabilities can also be addressed directly via a PR -- contributions are always welcome.
+
+More on contributing can be found in [DEVELOPMENT.md](DEVELOPMENT.md).
+
+## Addressing Rule Coverage Gaps
+
+While `malcontent` aims to err on the "paranoid" side of scanning, certain behaviors, including malicious behaviors, may not be covered by the existing YARA Rules.
+
+If this is the case, please open an issue: https://github.com/chainguard-dev/malcontent/issues or feel free to contribute changes or additions.