GitHub Actions variable values are exposed to every workflow run. A value containing 'http://' (instead of 'https://') configures workflows to talk to backend services over plaintext, allowing in-transit interception of the workflow's data and credentials. Update the value to use 'https://'. (HTTPS may not be appropriate for purely internal localhost development URLs that never reach a real network; treat such cases as exemptions.)
1. Go to Repository or Organization Settings -> Secrets and variables -> Actions -> Variables. 2. For each variable whose value contains http://, edit the value to use https:// where the backend supports TLS. 3. For variables that genuinely need plaintext local URLs, document the exemption.
{
"target": "GHActionsVariable",
"if": {
"allOf": [
{
"resource": "GHActionsVariable",
"property": "Value",
"operator": "notContains",
"value": "http://"
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2