Excessive Secrets Exposure¶
ID: actions/excessive-secrets-exposure
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
- actions
- security
- external/cwe/cwe-312
Query suites:
- actions-code-scanning.qls
- actions-security-extended.qls
- actions-security-and-quality.qls
Click to see the query in the CodeQL repository
Description¶
When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow.
Recommendations¶
Only pass those secrets that are needed by the workflow. Avoid using expressions such as toJSON(secrets) or dynamically accessed secrets such as secrets[format('GH_PAT_%s', matrix.env)] since the workflow will need to receive all secrets to decide at runtime which one needs to be used.
Examples¶
Incorrect Usage¶
env:
ALL_SECRETS: ${{ toJSON(secrets) }}
strategy:
matrix:
env: [PROD, DEV]
env:
GH_TOKEN: ${{ secrets[format('GH_PAT_%s', matrix.env)] }}
Correct Usage¶
env:
NEEDED_SECRET: ${{ secrets.GH_PAT }}
strategy:
matrix:
env: [PROD, DEV]
---
if: matrix.env == "PROD"
env:
GH_TOKEN: ${{ secrets.GH_PAT_PROD }}
---
if: matrix.env == "DEV"
env:
GH_TOKEN: ${{ secrets.GH_PAT_DEV }}