Job uses all secrets
A GitHub Actions job was found to have access to all secrets. This may be unnecessary and expose sensitive information to the job.
This can occur when the secrets
object is serialized to JSON. For example:
env:
ALL_SECRETS: ${{ toJSON(secrets) }}
Accessing the secrets
object using a dynamic key will also expose all secrets to the job. For example:
strategy:
matrix:
env: [PROD, DEV]
env:
GH_TOKEN: ${{ secrets[format('GH_PAT_%s', matrix.env)] }}
In this example, both secrets GH_PAT_DEV
and GH_PAT_PROD
are made available in each job as the GitHub Actions runner is unable to determine the secrets the job requires. As a result, all repository and organization secrets are retained in memory and may be accessed by the job.
Avoid using ${{ toJSON(secrets) }}
or ${{ secrets[...] }}
and only reference individual secrets that are required for the job.
To avoid dynamic key access, consider using GitHub Actions environments to restrict the secrets available to the job. This way, the secrets can share the same name, but have different values based on the environment the job uses. Additionally, GitHub Actions environments can benefit from deployment protections rules to further restrict the access to its secrets. The previous matrix workflow can be rewritten as follows:
build:
runs-on: ubuntu-latest
strategy:
matrix:
env: [PROD, DEV]
environment: ${{ matrix.env }}
env:
GH_TOKEN: ${{ secrets.GH_PAT }}