DOS5905

Dependabot Secret - Name should not match generic 'PASSWORD' pattern

DOS5905

GitHub repository Severitymedium builtIn

Description

A Dependabot secret literally named 'PASSWORD' (or close variants like PASSWORD_1, PASSWORD_PROD) is a maintenance hazard: rotating it requires updating every dependent workflow because the name conveys no purpose. Use brand-specific names instead (NPM_REGISTRY_TOKEN, PYPI_DEPLOY_KEY, AZURE_CR_PUSH_PASSWORD). Generic password names are also a red flag for credential reuse across registries.

Learn More

Recommendation

1. Go to Repository or Organization Settings -> Secrets and variables -> Dependabot. 
2. Rename any secret named PASSWORD / PASSWORD_* to reflect its specific use (NPM_TOKEN, AWS_SECRET_ACCESS_KEY, etc.). 
3. Update all referencing workflows.

Policy Rule

{
  "target": "GHDependabotSecret",
  "if": {
    "allOf": [
      {
        "resource": "GHDependabotSecret",
        "property": "Name",
        "operator": "notMatch",
        "value": "^PASSWORD(_.*)?$"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS5900 DOS5907 »
Rule Details
  • Rule ID: DOS5905
  • Code: GH_Repository_Dependabot_Secret_Name_Should_Not_Be_Generic_Password
  • Platform: GitHub
  • Category: repository
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2