DOS4375

GitHub Actions Secrets - Minimize the usage and sharing of your organization secrets

DOS4375

GitHub organization critical builtIn

Description

Minimize the usage and sharing of your organization secrets. Protect your secrets by declaring them as environment secrets and use required reviewers to protect environment secrets. The organization secret visibility should be limited to only fewer selected repositories. Anyone with collaborator access to the repositories with access to a secret or variable can use it for Actions. They are not passed to workflows that are triggered by a pull request from a fork. Learn more: https://docs.github.com/en/enterprise-cloud@latest/actions/security-guides/security-hardening-for-github-actions#using-secrets https://docs.github.com/en/enterprise-cloud@latest/actions/security-guides/using-secrets-in-github-actions

Recommendation

1. Go to Organization Settings. 
2. In the 'Security' section of the sidebar, select Secrets and variables, then click Actions. 
3. Click the 'Secrets' tab. 
4. Review the list and maintain it at a bare minimum. 
5. Ensure the 'Visibility' setting is 'selected repositories'.

Policy Rule

{
  "target": "GHActionsSecrets",
  "if": {
    "allOf": [
      {
        "resource": "GHActionsSecrets",
        "property": "TotalCount",
        "operator": "lessThan",
        "value": 11
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS4320 DOS4380 »
Rule Details
  • Rule ID: DOS4375
  • Code: GH_Organization_Actions_Secrets_Limit_Organization_Secrets_Usage
  • Platform: GitHub
  • Category: organization
  • Severity: critical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions