Job uses all secrets

A GitHub Actions job was found to have access to all secrets. This may be unnecessary and expose sensitive information to the job.

This can occur when the secrets object is serialized to JSON. For example:

env:
  ALL_SECRETS: ${{ toJSON(secrets) }}

Accessing the secrets object using a dynamic key will also expose all secrets to the job. For example:

strategy:
  matrix:
    env: [PROD, DEV]
env:
  GH_TOKEN: ${{ secrets[format('GH_PAT_%s', matrix.env)] }}

In this example, both secrets GH_PAT_DEV and GH_PAT_PROD are made available in each job as the GitHub Actions runner is unable to determine the secrets the job requires. As a result, all repository and organization secrets are retained in memory and may be accessed by the job.

Avoid using ${{ toJSON(secrets) }} or ${{ secrets[...] }} and only reference individual secrets that are required for the job.

To avoid dynamic key access, consider using GitHub Actions environments to restrict the secrets available to the job. This way, the secrets can share the same name, but have different values based on the environment the job uses. Additionally, GitHub Actions environments can benefit from deployment protections rules to further restrict the access to its secrets. The previous matrix workflow can be rewritten as follows:

build:
  runs-on: ubuntu-latest
  strategy:
    matrix:
      env: [PROD, DEV]
  environment: ${{ matrix.env }}
  env:
    GH_TOKEN: ${{ secrets.GH_PAT }}

• GitHub Actions: Using environments for jobs
• GitHub Actions: Deployment protection rules
• Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory