• CodeQL query help documentation »
• CodeQL query help for GitHub Actions »

Overview

ID: actions/unmasked-secret-exposure
Kind: problem
Security severity: 9.0
Severity: error
Precision: high
Tags:
   - actions
   - security
   - external/cwe/cwe-312
Query suites:
   - actions-code-scanning.qls
   - actions-security-extended.qls
   - actions-security-and-quality.qls

Click to see the query in the CodeQL repository

Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.

Recommendation

Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.

Example

Incorrect Usage

- env:
    username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }}
    password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }}
  run: |
    echo "$username"
    echo "$password"

Correct Usage

- env:
    username: ${{ secrets.AZURE_CREDENTIALS_CLIENT_ID }}
    password: ${{ secrets.AZURE_CREDENTIALS_CLIENT_SECRET }}
  run: |
    echo "$username"
    echo "$password"

References

• GitHub Docs: Using secrets in GitHub Actions.

• © GitHub, Inc.
• Terms
• Privacy