DOS4410

Actions Variable - Visibility should not be 'all'

DOS4410

GitHub organization Severitymedium builtIn

Description

Org-level Actions variables with visibility 'all' are exposed to every repository in the organization, including newly-created ones. Variables (unlike secrets) have their VALUES returned by the GitHub REST API, so leaking them through over-broad visibility may expose configuration data, hostnames, account IDs, or feature flags that adversaries can use during reconnaissance. Use 'selected' visibility to scope variables to only the repos that need them.

Learn More

Recommendation

1. Go to Organization Settings -> Secrets and variables -> Actions -> Variables. 
2. For each variable with visibility 'All repositories', change to 'Private repositories' or 'Selected repositories'.

Policy Rule

{
  "target": "GHActionsVariable",
  "if": {
    "allOf": [
      {
        "resource": "GHActionsVariable",
        "property": "Visibility",
        "operator": "notEquals",
        "value": "all"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS4400 DOS4420 »
Rule Details
  • Rule ID: DOS4410
  • Code: GH_Organization_Actions_Variable_Visibility_Should_Not_Be_All
  • Platform: GitHub
  • Category: organization
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2