ssh-action icon indicating copy to clipboard operation
ssh-action copied to clipboard

Published 20 hours ago verified publisher icon appleboy

Any security guarantee?

Open fchabouis opened this issue 1 year ago • 4 comments

Hi, I have tested the tool and it is working fine. I am wondering if there is an guarantee that my credentials won't be leaked. Of course keys are stored as Github secrets, but your code has access to the secrets and could possibly log them somewhere. I am probably not the first one with this concern, but I didn't find any information about such a risk. Thanks!

fchabouis avatar Oct 18 '23 12:10 fchabouis

Same question, are there any guarantees preventing potential unauthorized modifications being made to this repository?

xxfogs avatar Oct 19 '23 16:10 xxfogs

Asked myself the same question recently. One option to mitigate the risk is, switching to self-hosted runners from Github. Setup an SSH-Key on your self hosted runner and add it to the known_hosts on your server. Hereby you can avoid storing the private-key outside of the machine. See https://stackoverflow.com/a/72983036 .

bugohoss12 avatar Oct 26 '23 09:10 bugohoss12

Source Code here: https://github.com/appleboy/drone-ssh and Images: https://github.com/appleboy/drone-ssh/pkgs/container/drone-ssh

appleboy avatar Oct 26 '23 12:10 appleboy

build docker image from here: https://github.com/appleboy/ssh-action/blob/4330a1ea489ced98a6778fb35bb6bfed8b61fca5/Dockerfile#L1

appleboy avatar Oct 26 '23 12:10 appleboy

We do not retain any credentials information. Once used, the Container is removed.

appleboy avatar Jun 03 '24 03:06 appleboy