DOS4381: GitHub Actions Secrets - Restrict the sharing of an organization secret to fewer selected repositories | Security KB - DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.

This website stores cookies on your computer.These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please review our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

GitHub organization critical builtIn

Description

Minimize the sharing of your organization secrets to a smaller set of specific repositories. Limit the usage of organization secrets. Protect your secrets by declaring them as environment secrets and use required reviewers to protect environment secrets. The organization secret visibility should be limited to fewer selected repositories. Anyone with collaborator access to the repositories with access to a secret or variable can use it for Actions. They are not passed to workflows that are triggered by a pull request from a fork. Learn more: https://docs.github.com/en/enterprise-cloud@latest/actions/security-guides/security-hardening-for-github-actions#using-secrets https://docs.github.com/en/enterprise-cloud@latest/actions/security-guides/using-secrets-in-github-actions

Recommendation

1. Go to Organization Settings. 
2. In the 'Security' section of the sidebar, select Secrets and variables, then click Actions. 
3. Click the 'Secrets' tab. 
4. Find the secret and click on edit pencil icon. 
5. Ensure the 'Repository access' setting is 'Selected repositories' and the number of repositories is under 10.

Policy Rule

{
  "target": "GHActionsSecret",
  "if": {
    "allOf": [
      {
        "resource": "GHActionsSecret",
        "property": "Visibility",
        "operator": "equals",
        "value": "selected"
      },
      {
        "resource": "GHActionsSecret",
        "property": "SelectedRepositoriesTotalCount",
        "operator": "greaterThan",
        "value": 1
      },
      {
        "resource": "GHActionsSecret",
        "property": "SelectedRepositoriesTotalCount",
        "operator": "lessThan",
        "value": 11
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

« DOS4380 DOS4510 »

Rule Details

Rule ID: DOS4381
Code: GH_Organization_Actions_Secrets_Restrict_Access_To_Fewer_Selected_Repos
Platform: GitHub
Category: organization
Severity: critical
Type: builtIn

DOS4381

GitHub Actions Secrets - Restrict the sharing of an organization secret to fewer selected repositories

DOS4381

Description

Recommendation

Policy Rule

View evaluation logic (JSON)

Rule Details

Related Rules