docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon github

Security hardening article should have stronger warning against using actions secrets

Open ecraig12345 opened this issue 2 years ago • 4 comments

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions and/or https://docs.github.com/en/actions/security-guides/encrypted-secrets

What part(s) of the article would you like to see updated?

Actions secrets are extremely risky to use in a public repo because they could potentially be exfiltrated by anyone who's allowed to run a PR build. The articles linked above should more explicitly mention this risk and strongly recommend moving sensitive secrets (such as npm tokens) to environments or another solution, as well as requiring approval for outside collaborators to run PR workflows.

In the mitigation suggestions, it would be very helpful to include an example of how to use an environment solely to control secret access. The terms "environment" and "deployment" are confusing in the context of something like npm publishing which isn't typically thought of in those terms (especially for anyone who's worked on a service in the past), so developers may not realize environments can be used for that and how simple it is to set up. (I've worked on build systems in open source repos for multiple years, and despite having read through the security articles at some point, I didn't figure this out until last week.)

The "security hardening" article has also gotten extremely long, so it would probably be more readable as an overview article with multiple sub-pages.

Additional information

No response

ecraig12345 avatar Feb 24 '23 17:02 ecraig12345

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar Feb 24 '23 17:02 welcome[bot]

@ecraig12345 Thanks so much for opening an issue! We appreciate the depth of info and details in supporting the issue. I'll triage this for the team to take a look :eyes:

cmwilson21 avatar Feb 28 '23 15:02 cmwilson21

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:

github-actions[bot] avatar May 12 '23 19:05 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jun 10 '23 16:06 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jul 11 '23 16:07 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Aug 09 '23 16:08 github-actions[bot]

Hey @ecraig12345 ✨

Thank you for making this issue and helping keep our docs updated with some security best practices. I read through your suggestion and am curious if what you're asking for is currently written in the documentation. Let me know if I'm mistaken here!

Examples

Actions secrets are extremely risky to use in a public repo because they could potentially be exfiltrated

The docs do have a section specifically about exfiltration.

could potentially be exfiltrated by anyone who's allowed to run a PR build

Under "Using secrets" there is a strong, red warning box that says, "Any user with write access to your repository has read access to all secrets configured in your repository. Therefore, you should ensure that the credentials being used within workflows have the least privileges required."

Does this warning box is cover the scenario you're asking about for public repositories?

and strongly recommend moving sensitive secrets (such as npm tokens) to environments or another solution

The first paragraph under "Using secrets" explains that secrets can be set at the environment level for the repository and links to the relevant documentation. Do you think this approach should be a stronger recommendation?

as well as requiring approval for outside collaborators to run PR workflows.

One of the bullet points in "Using secrets" says "Consider requiring review for access to secrets." The section also talks about environment secrets and links out to the relevant docs. Which is closely related to your suggestions about recommending environment secrets.

My questions

It might be that the right information does exist in the article, but it needs to be highlighted differently or reworded. Or it might be that important information is missing entirely. It'll be helpful for me to know the case either way.

Is there specific information that is totally missing in "Security hardening for GitHub Actions" or "Encrypted secrets"?

Or is it that certain important information about secrets should be displayed/highlighted better?

Let me know what you think!

jc-clark avatar Aug 15 '23 22:08 jc-clark

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further. See this blog post on bug reports and the importance of repro steps for more information about the kind of information that may be helpful.

github-actions[bot] avatar Aug 30 '23 14:08 github-actions[bot]