GHA-SEC001Plaintext Secrets
Problem Statement
Secrets should not be printed to logs or echoed in a way that exposes them.
Vulnerability
Exposure of credentials
Code Examples
Insecure Implementation
- run: echo "${{ secrets.MY_SECRET }}"Secure Implementation
- run: some_command --token "${{ secrets.MY_SECRET }}"Remediation Steps
- Never log secrets directly.
- Use secrets only in commands where they are essential.
- Ensure the command or tool used does not print the secret accidentally.