DOS5900

Dependabot Secret - Should have a name

DOS5900

GitHub repository Severitymedium builtIn

Description

Every Dependabot secret should carry a non-empty name (the GitHub Actions workflow references the secret by name via secrets.<NAME>). Records with empty names are typically mid-creation states or API-quirk artifacts that cannot be consumed by Dependabot's automated dependency updates.

Learn More

Recommendation

1. Go to Repository or Organization Settings -> Secrets and variables -> Dependabot. 
2. Identify any secrets without names. 
3. Delete or rename them.

Policy Rule

{
  "target": "GHDependabotSecret",
  "if": {
    "allOf": [
      {
        "resource": "GHDependabotSecret",
        "property": "Name",
        "operator": "notEquals",
        "value": ""
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS5855 DOS5905 »
Rule Details
  • Rule ID: DOS5900
  • Code: GH_Repository_Dependabot_Secret_Should_Have_Name
  • Platform: GitHub
  • Category: repository
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2