GitHub Workflow Security Flaw: slashben/kubescape Repository Exposed via 'read-all' Permissions

A critical security misconfiguration has been identified in the popular Kubernetes security tool repository, slashben/kubescape. A GitHub Actions workflow is configured with excessive 'read-all' permissions, granting broad read access to sensitive repository scopes. This flaw is not merely theoretical; the vulnerable workflow is automatically triggered by pull request events, including those opened by external contributors from forks. This creates a tangible vector for potential data exfiltration or reconnaissance by less-trusted actors.

The specific vulnerability resides in the `.github/workflows/00-pr-scanner.yaml` file, which declares `permissions: read-all` at the workflow level. This setting grants read access to all permission scopes, including sensitive areas like `security-events`, `checks`, `contents`, `deployments`, `issues`, `packages`, `pull-requests`, and `repository-projects`. The workflow's trigger conditions—`pull_request` events such as 'opened', 'reopened', 'synchronize', and 'readyforreview'—mean any pull request, including one from a forked repository, can activate this workflow with its elevated permissions.

While the finding is classified as a MEDIUM severity issue (OWASP CI/CD-SEC-3) and was only partially verified by the pentest agent—meaning full exploitability was not confirmed—the risk profile is significant. For a security-focused project like Kubescape, which handles security scanning logic and configurations, excessive permissions could allow malicious PRs to silently read security event logs, check results, or other internal project metadata. This exposure underscores the persistent risk of over-permissioned CI/CD pipelines, especially in projects that attract high levels of external contribution and scrutiny.