Security Alert: Over 10% of public repositories expose secrets in GitHub Actions logs. Follow these practices to protect your credentials.
Why Pipeline Security Matters
GitHub Actions has become the backbone of modern CI/CD, but misconfigured workflows can expose:
- Cloud provider credentials (AWS, GCP, Azure)
- API keys and service tokens
- Database connection strings
- Private package registry credentials
Common Attack Vectors
- Malicious pull requests injecting code into workflows
- Accidental secret logging in console output
- Overprivileged GITHUB_TOKEN permissions
- Third-party action vulnerabilities
1. Replace Long-Lived Secrets with OIDC
OpenID Connect (OIDC) allows temporary, scoped credentials instead of static secrets:
OIDC Flow:
[GitHub Actions] → [JWT Token] → [Cloud Provider] → [Temporary Credentials]
AWS OIDC Configuration Example
# .github/workflows/deploy.yml
permissions:
id-token: write # Required for OIDC
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
aws-region: us-east-1Azure OIDC Setup
- uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}Benefit: OIDC tokens are automatically rotated and only valid for a few minutes, eliminating the risk of stolen long-term credentials.
2. Implement Secret Scanning
GitHub Advanced Security
# .github/workflows/secret-scanning.yml
name: Secret Scanning
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for secrets
uses: github/codeql-action/secret-scanning@v1Pre-commit Hook Alternative
# Install detect-secrets
pip install detect-secrets
# Create baseline
detect-secrets scan > .secrets.baseline
# Add to pre-commit
- repo: local
hooks:
- id: secrets
name: Detect secrets
entry: detect-secrets-hook --baseline .secrets.baseline
language: system
files: \.(env|key|secret|config)$3. Harden GITHUB_TOKEN Permissions
Default permissions are too permissive. Apply least privilege:
| Permission | Recommended Scope | Risk if Overprivileged |
|---|---|---|
| contents | read (or write for deploy jobs) | Repository tampering |
| actions | read (or none) | Workflow injection |
| packages | read (or write for publish) | Package registry compromise |
# Minimal permissions example permissions: contents: read issues: write pull-requests: write
4. Third-Party Action Security
Best practices for using community actions:
Golden Rule: Always pin actions to full commit SHA, not tags which can be moved.
# UNSAFE - uses floating tag uses: actions/checkout@v3 # SAFE - pinned to exact SHA uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
Action Allowlisting
For organizations, implement action restrictions:
# Organization policy
gh api \
--method PUT \
-H "Accept: application/vnd.github.v3+json" \
/orgs/{org}/actions/permissions/selected-actions \
-f '{"patterns_allowed":["actions/checkout","docker/*"]}'5. Audit and Monitoring
Workflow Run Auditing
# List all workflows with write permissions
gh api /repos/{owner}/{repo}/actions/workflows \
| jq '.workflows[] | select(.permissions.can_approve)'
# Export audit logs (Enterprise only)
gh api /orgs/{org}/audit-log \
-F 'phrase="action:workflow"' \
> audit_logs.jsonReal-Time Alerting
# .github/workflows/security-alerts.yml
name: Security Alerts
on:
workflow_run:
workflows: ["*"]
types: [completed]
jobs:
alert:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v6
with:
script: |
if (context.payload.workflow_run.conclusion === 'failure') {
github.rest.issues.createComment({
issue_number: context.payload.workflow_run.head_sha,
owner: context.repo.owner,
repo: context.repo.repo,
body: '⚠️ Workflow failed! Please review for security issues.'
})
}Bonus: Emergency Secret Rotation
When secrets are leaked, rotate immediately:
# GitHub CLI rotation
gh secret set AWS_ACCESS_KEY_ID --body="AKIA..." --repo={owner}/{repo}
# Bulk rotation script
for secret in $(gh secret list --repo {owner}/{repo} | awk '{print $1}'); do
gh secret delete $secret --repo {owner}/{repo}
echo "Rotated $secret"
doneCritical Reminders
- Never echo secrets in logs (even if masked)
- Review pull requests from forks carefully
- Regularly audit workflow permissions
- Use separate accounts for CI/CD
Implementation Checklist
| Task | Priority | Completed |
|---|---|---|
| Enable OIDC for cloud providers | Critical | □ |
| Implement secret scanning | High | □ |
| Restrict GITHUB_TOKEN | High | □ |
| Pin third-party actions | Medium | □ |
| Set up audit logging | Medium | □ |
Conclusion
Securing GitHub Actions requires a defense-in-depth approach. By implementing OIDC, secret scanning, least privilege permissions, and rigorous auditing, you can significantly reduce the risk of credential leaks and pipeline compromise.
Remember: Every workflow is a potential attack surface. Treat your CI/CD pipeline with the same security rigor as production systems.
Additional Resources
- GitHub Actions Security Hardening Guide
- OpenSSF Scorecard (Automated Security Checks)
- Cosign (Workflow Artifact Signing)
