Secrets used in workflows should not be echoed in the console

A secret may be echoed to a file for viewing forgotten secrets or for debugging purposes. This exposes the secret in the CI/CD output panel, and the secret may then be viewed by anyone with access to the output. For publicly viewable logs, the secret is now visible to everyone.

This check looks for any suspicious shell commands that write a secret variable, secret file, or access token to standard output or send it to a remote server. It could be done inadvertently or deliberately in combination with an obfuscation mechanism to prevent the cicd system from masking it before output.

Most SCM systems mask the secrets before being sent to the log system, in these cases an Info level issue will be reported.

Credentials printed to console output is one of the mayor flaws that affect credential hygiene.

Insufficient credential hygiene risks deal with an attacker’s ability to obtain and use various secrets and tokens spread throughout the pipeline due to flaws having to do with access controls around the credentials, insecure secret management and overly permissive credentials. The impact of such risks can be severe as it can lead to data breaches, unauthorized access, and data loss.

Check provenance of the issue reported by this check, if confirmed, secret should be mark as compromised.

Ensure secrets that are used in CI/CD systems are scoped in a manner that allows each pipeline and step to have access to only the secrets it requires.