fix: add package read permission for container jobs

remediation/workflow/permissions/permissions.go

@@ -209,6 +209,7 @@ func AddJobLevelPermissions(inputYaml string, addEmptyTopLevelPermissions bool)
 
 		jobState := &JobState{}
 		jobState.WorkflowEnv = workflow.Env
+		jobState.IsContainerJob = (job.Container.Image != "")
 		perms, err := jobState.getPermissions(job.Steps)
 
 		if err != nil {
@@ -369,6 +370,8 @@ type JobState struct {
 	MissingActions    []string
 	Errors            []error
 	ActionPermissions *metadata.ActionPermissions
+
+	IsContainerJob bool // true if the job is running in a container
 }
 
 func evaluateEnvironmentVariables(step metadata.Step) string {
@@ -519,6 +522,11 @@ func (jobState *JobState) getPermissionsForRunStep(step metadata.Step) ([]Permis
 func (jobState *JobState) getPermissions(steps []metadata.Step) ([]string, error) {
 	permissions := []string{}
 
+	// If the job is a container job, we need to add packages: read permission
+	if jobState.IsContainerJob {
+		permissions = append(permissions, fmt.Sprintf("%s  # for container job", packages_read))
+	}
+
 	for _, step := range steps {
 
 		if step.Uses != "" { // it is an action

remediation/workflow/secureworkflow_test.go

@@ -333,6 +333,7 @@ func TestSecureWorkflowContainerJob(t *testing.T) {
 	queryParams := make(map[string]string)
 	queryParams["skipHardenRunnerForContainers"] = "true"
 	queryParams["addProjectComment"] = "false"
+	queryParams["addPermissions"] = "true"
 
 	output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
 

testfiles/secureworkflow/output/container-job.yml

@@ -9,6 +9,9 @@ permissions:
 
 jobs:
   test:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      packages: read  # for container job
     runs-on: ubuntu-latest
     container:
       image: cgr.dev/chainguard/wolfi-base@sha256:91ed94ec4e72368a9b5113f2ffb1d8e783a91db489011a89d9fad3e3816a75ba