-
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a Guide/Template: How to Create Secrets in GitHub #67
Comments
This comment was marked as outdated.
This comment was marked as outdated.
Retrieving secrets from repos is an unsupported usage. GitHub does the simple job of matching output with secrets values and replaces them with asterisks when found. If you break it up into first char + space + the rest, it won't prevent it. This really means that teams need to audit all gha internal and external to make sure they don't do malicious things. For example, do not allow workflows extra permissions in settings. Recently, I read a recommendation to set more permissions on the individual jobs level rather than repo global or workflow global. See this example |
In general, we should consider "retrieving a secret" an *anti-*feature. Every secret is effectively a target of a security threat, and any way you could exfiltrate one should be considered a vulnerability. Consider a case where a GHA uses a secret and runs code in the repo on PR (for instance: it runs tests) - an attacker could issue a PR with a new "test" that retrieves the secrets and exposes them in the logs - the examples above demonstrate how easy it is to evade the Github protections. Fortunately, actions don't provide secrets they don't ask for, so we can consider secret usage on a per-Action basis, and reject new Actions that mix secret usage with the means to reveal the secret. Again, consider retrieval and anti-feature. The cases where it seems necessary are better handled with e.g. credential rotation or a password vault. |
Prior version of issue
OverviewThere are developers that need to create secrets for projects and are unaware of how to do so in GitHub. This causes an issue where Secrets are being used in a non-compliant way which increases our security risk. Action Items
Resources/InstructionsHere is the GitHub documentation about this: |
Overview
There are developers that need to create secrets for projects and are unaware of how to do so in GitHub. This causes an issue where Secrets are being used in a non-compliant way which increases our security risk.
Action Items
The phases in the guide-making process are listed below. Each phase displayed in blue is linked to a wiki page with instructions on how to complete that phase. Open the wiki page in a new tab, copy the instructions for each part into the section labeled 'Tasks' at the bottom of this issue, and complete each task listed.
Resources/Instructions
GitHub's documentation: Using secrets in GitHub Actions
Review this link to understand how someone might hack your secrets:
https://stackoverflow.com/questions/63003669/how-can-i-see-my-git-secrets-unencrypted
Projects to Check
Tasks
The text was updated successfully, but these errors were encountered: