Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a Guide/Template: How to Create Secrets in GitHub #67

Open
7 tasks
erniep278 opened this issue Jun 29, 2023 · 5 comments
Open
7 tasks

Create a Guide/Template: How to Create Secrets in GitHub #67

erniep278 opened this issue Jun 29, 2023 · 5 comments

Comments

@erniep278
Copy link
Member

erniep278 commented Jun 29, 2023

Overview

There are developers that need to create secrets for projects and are unaware of how to do so in GitHub. This causes an issue where Secrets are being used in a non-compliant way which increases our security risk.

Action Items

The phases in the guide-making process are listed below. Each phase displayed in blue is linked to a wiki page with instructions on how to complete that phase. Open the wiki page in a new tab, copy the instructions for each part into the section labeled 'Tasks' at the bottom of this issue, and complete each task listed.

Resources/Instructions

GitHub's documentation: Using secrets in GitHub Actions

Review this link to understand how someone might hack your secrets:
https://stackoverflow.com/questions/63003669/how-can-i-see-my-git-secrets-unencrypted

Projects to Check

Tasks

  • This is where you will copy instructions from the wiki page for the step you are currently on.
@erniep278 erniep278 added the size: 2pt Can be done in 7-12 hours label Jun 29, 2023
@erniep278

This comment was marked as outdated.

@fyliu
Copy link
Member

fyliu commented Jul 6, 2023

Retrieving secrets from repos is an unsupported usage. GitHub does the simple job of matching output with secrets values and replaces them with asterisks when found. If you break it up into first char + space + the rest, it won't prevent it.

This really means that teams need to audit all gha internal and external to make sure they don't do malicious things. For example, do not allow workflows extra permissions in settings. Recently, I read a recommendation to set more permissions on the individual jobs level rather than repo global or workflow global. See this example

@nyarly
Copy link
Member

nyarly commented Jul 6, 2023

In general, we should consider "retrieving a secret" an *anti-*feature. Every secret is effectively a target of a security threat, and any way you could exfiltrate one should be considered a vulnerability.

Consider a case where a GHA uses a secret and runs code in the repo on PR (for instance: it runs tests) - an attacker could issue a PR with a new "test" that retrieves the secrets and exposes them in the logs - the examples above demonstrate how easy it is to evade the Github protections.

Fortunately, actions don't provide secrets they don't ask for, so we can consider secret usage on a per-Action basis, and reject new Actions that mix secret usage with the means to reveal the secret.

Again, consider retrieval and anti-feature. The cases where it seems necessary are better handled with e.g. credential rotation or a password vault.

@Aditya23soni
Copy link
Member

Aditya23soni commented Oct 4, 2024

Prior version of issue

Overview

There are developers that need to create secrets for projects and are unaware of how to do so in GitHub. This causes an issue where Secrets are being used in a non-compliant way which increases our security risk.

Action Items

  • Research best practices for using Secrets in GitHub
  • Research how you can use Secrets that are stored in GitHub
  • Research how to show the secret (there is a way to view the secret after it's created).

Resources/Instructions

Here is the GitHub documentation about this:
https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-environment
Highlight this a have it stand out more to developers.

@Aditya23soni
Copy link
Member

Aditya23soni commented Oct 4, 2024

Assignee, Labels, Project Board Placement, and Milestones for this issue in the Ops Repo:

Screenshot 2024-10-04 at 4 49 50 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: New Issue Review
Status: Needs to be Triaged
Status: Needs to be Triaged
Development

No branches or pull requests

5 participants