Secrets Used Outside Environment Variables
Description
Interpolating a secret directly into a run: command — deploy --token ${{ secrets.TOKEN }} — places the plaintext value on the command line, where it can leak through process listings (ps), shell traces (set -x), error output, or logs that are not perfectly masked. 1 The recommended pattern is to pass the secret through a step env: variable and reference the environment variable in the command, which keeps the value out of the command line. Self-hosted runners have an even higher-impact variant covered by Self Hosted Runner Secrets in Run.
Vulnerable Instance
- A
run:step interpolates${{ secrets.* }}directly into the command text.
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- run: curl -H "Authorization: Bearer ${{ secrets.API_TOKEN }}" https://api.example.com
# token appears on the command line / process listMitigation Strategies
Pass secrets via
env:. Bind the secret to a step environment variable and reference$VARin the command.- env: API_TOKEN: ${{ secrets.API_TOKEN }} run: curl -H "Authorization: Bearer $API_TOKEN" https://api.example.comQuote the variable (
"$API_TOKEN") and avoid echoing it.Disable command tracing around secret usage (avoid
set -xwhere secrets are handled).
Secure Version
steps:
- - run: curl -H "Authorization: Bearer ${{ secrets.API_TOKEN }}" https://api.example.com
+ - env:
+ API_TOKEN: ${{ secrets.API_TOKEN }}
+ run: curl -H "Authorization: Bearer $API_TOKEN" https://api.example.com
Impact
| Dimension | Severity | Notes |
|---|---|---|
| Likelihood | A very common shortcut when wiring up API calls in run steps. | |
| Risk | Increases the chance a secret leaks via process listings, traces, or imperfectly masked logs. | |
| Blast radius | Limited to the exposed credential, but that credential may be high value. |
References
- GitHub Docs, “Using secrets in GitHub Actions,” https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions 1
- GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions 2
GitHub Docs, “Using secrets in GitHub Actions,” https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions ↩︎ ↩︎
GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions ↩︎