Secure mode no child

Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Feb 1, 2025 · 4cfedbd · 4cfedbd
1 parent 0a0347a
commit 4cfedbd
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml
@@ -756,5 +756,5 @@ jobs:
           bin/cdxgen.js -p -t pnpm ${GITHUB_WORKSPACE} --no-recurse -o ${GITHUB_WORKSPACE}/bomresults/bom-self.json --fail-on-error
         shell: bash
         env:
-          NODE_OPTIONS: "--permission --allow-fs-read=/home/runner/* --allow-fs-read=/tmp/* --allow-fs-read=/run/user/1001/* --allow-fs-read=/opt/hostedtoolcache/* --allow-fs-write=/tmp/* --allow-fs-read=/Users/runner/* --allow-fs-read=${{ github.workspace }}/* --allow-fs-write=${{ github.workspace }}/bomresults/*.json --allow-fs-read=${{ runner.temp }}/* --allow-fs-write=${{ runner.temp }}/* --trace-warnings"
+          NODE_OPTIONS: "--permission --allow-fs-read=/home/runner/*.* --allow-fs-read=/tmp/* --allow-fs-read=/run/user/1001/* --allow-fs-read=/opt/hostedtoolcache/* --allow-fs-write=/tmp/* --allow-fs-read=/Users/runner/* --allow-fs-read=${{ github.workspace }}/*.yaml --allow-fs-write=${{ github.workspace }}/bomresults/*.json --allow-fs-read=${{ runner.temp }}/* --allow-fs-write=${{ runner.temp }}/* --trace-warnings"
           CDXGEN_TEMP_DIR: ${{ runner.temp }}/cdxgen-repotests
diff --git a/docs/PERMISSIONS.md b/docs/PERMISSIONS.md
@@ -51,6 +51,14 @@ Secure mode requires permission-related arguments. These can be passed as CLI ar
 export NODE_OPTIONS='--permission --allow-fs-read="/var/folders/h5/43_6kqvs4w7cclqtdbpj_7g80000gn/T/*" --allow-fs-write="/var/folders/h5/43_6kqvs4w7cclqtdbpj_7g80000gn/T/*" --allow-fs-read="/Volumes/Work/sandbox/pnpm/*" --allow-fs-write="/Volumes/Work/sandbox/pnpm/bom.json"'
 ```
 
+## Controlling the permissions for external commands
+
+Use the environment variable `CDXGEN_NODE_OPTIONS` to control the permissions for the external node-based commands such as npm, atom, and yarn etc.
+
+```shell
+export CDXGEN_NODE_OPTIONS="--permission --allow-fs-read<more restricted directories> --allow-fs-write=/foo/usages.slices.json"
+```
+
 ## GitHub Action Workflow sample
 
 Our repotests include a working configuration to enable secure mode in GitHub Action Workflows. Below is a snippet.