GHA-SEC014Use of Legacy GCP Authentication
Problem Statement
credentials_json relies on long-lived secrets.
Vulnerability
Secret Leakage Risk
Code Examples
Insecure Implementation
- uses: google-github-actions/auth@v2
with:
credentials_json: '<YOUR-SERVICE-ACCOUNT-FILE-AS-INPUT>'Secure Implementation
- uses: google-github-actions/auth@v2
with:
token_format: 'access_token'
workload_identity_provider: '<YOUR-WORKFLOW-IDENTITY-PROVIDER>'
service_account: '<SERVICE-ACCOUNT>'Remediation Steps
- Stop using credentials_json.
- Set up Workload Identity Federation in GCP.
- Use short-lived, auto-rotated tokens.