DOS5910

Actions Variable - Name should not look like a secret

DOS5910

GitHub repository Severitycritical builtIn

Description

GitHub Actions variable VALUES are returned by the REST API. A variable named like a secret (PASSWORD, TOKEN, KEY, SECRET, CRED, APIKEY) is almost always a misuse - the developer intended to create a secret but used a variable instead, leaking the value through both the GitHub UI and any caller of /actions/variables. This is the #1 finding in workflow security audits and should always be remediated by recreating the value as a Secret.

Learn More

Recommendation

1. Go to Repository or Organization Settings -> Secrets and variables -> Actions -> Variables. 
2. For each variable with a name containing PASSWORD / TOKEN / KEY / SECRET / CRED / APIKEY, copy the value, delete the variable, then recreate it as a Secret. 
3. Update workflows to reference secrets.<NAME> instead of vars.<NAME>.

Policy Rule

{
  "target": "GHActionsVariable",
  "if": {
    "allOf": [
      {
        "resource": "GHActionsVariable",
        "property": "Name",
        "operator": "notMatch",
        "value": "(?i)(password|token|secret|apikey|api_key|^key$|cred(ential)?|pwd|passphrase)"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS5907 DOS5915 »
Rule Details
  • Rule ID: DOS5910
  • Code: GH_Repository_Actions_Variable_Name_Should_Not_Look_Like_Secret
  • Platform: GitHub
  • Category: repository
  • Severity: Severitycritical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2