GitHub Actions automatically redacts secrets from logs to prevent accidental exposure. However, when structured data stored as secrets is parsed
using functions like fromJSON(), the parsed values are no longer recognized as secrets by the automatic redaction mechanism. This can
lead to sensitive information being exposed in workflow logs.
Ask Yourself Whether
- The structured data contains sensitive information that should not be exposed in logs.
- The parsed values from the structured data are used in contexts where they might be printed to logs.
- There are no additional safeguards in place to prevent the exposure of these parsed values.
There is a risk if you answer yes to all of these questions.
Recommended Secure Coding Practices
- Avoid parsing structured data stored as secrets when the individual values need to remain secret.
- Store individual secrets separately instead of embedding them in structured data.
- If structured data must be used, ensure that any operations involving the parsed values are performed in environments where logging is
controlled.
- Use intermediate variables with care and avoid echoing or printing variables that contain parsed secret values.
Sensitive Code Example
name: Example
on:
pull_request:
jobs:
main:
runs-on: ubuntu-latest
steps:
- name: Example Step
env:
SECRET: ${{ fromJSON(secrets.JSON_SECRET).SECRET_IN_JSON }} # Sensitive
run: |
example-command "$SECRET"
Compliant Solution
The example below is compliant because the secret is not parsed from structured data.
name: Example
on:
pull_request:
jobs:
main:
runs-on: ubuntu-latest
steps:
- name: Example Step
env:
SECRET: ${{ secrets.SECRET }}
run: |
example-command "$SECRET"
See
See Also
