cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

[Feature] Ingest GitHub secrets and workflows

Open jychp opened this issue 2 weeks ago • 0 comments

Summary

Add support in the GitHub intel module to ingest:

  1. GitHub secrets (org / repo / environment):

    • Only metadata about existing secrets (name, scope, type, creation/update timestamps, etc.).
    • Absolutely no secret values ingested, same approach as for AWS secrets.

  2. GitHub Actions workflows:

    • Phase 1: Ingest existing workflows and basic metadata.
    • Future: Optional workflow analysis (which actions are used, which secrets are referenced, etc.).

Motivation

Cartography currently does not model GitHub secrets or workflows, which leaves a blind spot for:

  • Mapping where sensitive credentials may be configured (even if we never see the values).
  • Understanding which repositories and workflows depend on which secrets.
  • Building attack path / blast radius views:
    • “Which workflows could be abused if a given secret leaks?”
    • “Which secrets are defined but never used by any workflow?”

This feature would unlock a lot of security and governance use cases around CI/CD and GitHub Actions.

Proposed Solution

Scope

  • Extend the existing GitHub intel module to:
    • Ingest GitHub environments.
    • Ingest GitHub secrets metadata.
    • Ingest GitHub Actions workflows.
  • No secret values are ever fetched, stored, or logged.

Data Model (high-level sketch)

Exact names are up for discussion, but conceptually:

  • (:GitHubSecret)

    • Properties: id, name, visibility (org / repo / env), created_at, updated_at, org_name, repo_name, environment_name, etc.
    • Relationships:
      • (GitHubOrganization)-[:HAS_SECRET]->(GitHubSecret) for org-level.
      • (GitHubRepository)-[:HAS_SECRET]->(GitHubSecret) for repo-level.
      • (GitHubEnvironment)-[:HAS_SECRET]->(GitHubSecret) for environment-level.

  • (:GitHubWorkflow)

    • Properties: id, name, path, state, created_at, updated_at, org_name, repo_name, etc.
    • Relationships:
      • (GitHubRepository)-[:HAS_WORKFLOW]->(GitHubWorkflow)

  • Future/optional relationships (Phase 2+):

    • (GitHubWorkflow)-[:USES_SECRET]->(GitHubSecret)
    • (GitHubWorkflow)-[:USES_ACTION]->(GitHubAction) (if we decide to model actions / marketplace actions later).

jychp avatar Dec 08 '25 18:12 jychp