Add configurable permission restrictions to GitHub Action #13
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add 'allowed-tools' input parameter to action.yml for configuring Claude Code permissions - Implement --allowedTools flag passing in github_action_audit.py - Set secure read-only defaults (Read, Glob, Grep, LS, Task, limited git commands) - Add tests for permission restrictions functionality - Update documentation with new parameter and default tools list - Claude CLI handles comma-separated tool specifications natively This enables tighter security controls while allowing flexibility to extend permissions for tools like Notion MCP when needed. ## Test Plan - Added comprehensive tests for default and custom tool configurations - Verified claude CLI handles tools with commas in specifications correctly - All existing tests pass
rsharma-figma
force-pushed
the
rohan/add-permission-restrictions
branch
from
95ab961 to
db5afdf
Compare
The SimpleClaudeRunner.run_security_audit method now includes --allowedTools parameter in the Claude command, but the test was still expecting the old format without this parameter. Updated test_run_security_audit_success to expect the --allowedTools parameter with its default value of read-only tools for security scanning. ## Test Plan - Ran python3 -m pytest claudecode/test_claude_runner.py::TestSimpleClaudeRunner::test_run_security_audit_success -v - Ran full test suite with python3 -m pytest --tb=short - All 175 tests now pass
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
At Figma, we noticed that the
/security-reviewcommand in.claude/commands/security-review.mdspecifiesallowed-toolsto restrict permissions, but this wasn't actually being enforced when the GitHub Action runs Claude Code via the CLI. This PR adds support for configurable permission restrictions to ensure Claude Code operates with minimal required permissions during security scans.Motivation
Changes
New
allowed-toolsinput parameter inaction.ymlPermission enforcement in
github_action_audit.py--allowedToolsflag to the Claude CLI (single comma-separated string)Read,Glob,Grep,LS,Task, and limited git commands (git diff,git status,git log,git show,git remote show)Tests for the new functionality
Documentation updates
Test Plan
Notes
This is a backward-compatible change - existing workflows will continue to work with the secure defaults applied automatically.