GITHUB_TOKEN granted write-all permissions
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A permissions block is set to write-all, giving the job token write access to every scope (contents, packages, deployments, actions, and more). A compromised step or dependency can then push code, publish packages, or tamper with releases.
Why it matters
permissions: write-all gives the automatic GITHUB_TOKEN write access to every scope: repository contents, packages, deployments, actions, pages, and more. Most jobs need only read. If any step, dependency, or action in the job is compromised, that broad token lets it push commits, publish packages, or alter releases.
How to fix it
Replace write-all with the minimum scopes the job actually uses. Start from permissions: contents: read at the top level and add only what specific jobs need (for example contents: write for a release job, packages: write for a publish job). Set write scopes on the individual job, not the whole workflow.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo