Ensure GitHub Actions secrets are encrypted

ID

plaintext_secret_gh

Severity

high

Vendor

Github

Resource

Terraform (Github Actions)

Tags

reachable

Description

Within the GitHub Terraform provider, an option exists to include a plaintext representation of a secret. It’s crucial to exercise caution when employing this feature. Storing the plaintext secret within your codebase or version control system can lead to inadvertent exposure, posing a significant security risk.

To mitigate this risk, it is recommended to manage secrets separately through secure secret management systems and refrain from directly embedding plaintext secrets in your Terraform configurations.

Examples

Terraform

resource "github_actions_environment_secret"  {
  environment       = "example_environment"
  secret_name       = "example"
  plaintext_value   = "Thisismypwd" (1)
}
go
1 The plaintext_value attribute is being used.

Mitigation / Fix

Buildtime

Terraform

resource "github_actions_environment_secret"  {
  environment       = "example_environment"
  secret_name       = "example"
  encrypted_value   = "Wsdf892n3inh7" (1)
}
go
1 Fixed, replaced with the encrypted_value.