Secrets outside of environments

[AndrewMohawk]

Loving the tool so far! I'd love to have zizmor also determine secrets referenced outside of environments within GH actions. I see it fairly often and it means that if anyone has the ability to create a PR with an updated workflow they can exfil secrets that arent tied to an environment (and that environment having branch protections). The caveat here is that an attacker would have had to submit a PR before the malicious one (usually you would see them as doing typo fixes first).

[woodruffw]

Hi @AndrewMohawk, thanks for the kind words! I'm glad you're enjoying the tool.

Could you say a bit more about the audit idea here? Is the idea that this would be an online audit over the secrets context, flagging anything that's referenced that's defined as a repo- (or org-wide) secret instead of an environment one?

I think that makes sense to me, but it might be outside of zizmor's current capabilities (since it involves repo state, rather than the workflow's own configuration). But if you have docs/API references for how we could implement this with just a normal GH_TOKEN it might be something we could do.

[woodruffw]

Did some API research:

• listing environment secrets: https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#list-environment-secrets
• list environments: https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#list-environments

So this is doable, although it requires a more permissive token than the typical GH_TOKEN.

[woodruffw]

This is a new audit idea, so I've created #184 to track it. Thanks again @AndrewMohawk!