Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit idea: Secrets outside of environments #184

Open
woodruffw opened this issue Nov 21, 2024 Discussed in #181 · 1 comment
Open

Audit idea: Secrets outside of environments #184

woodruffw opened this issue Nov 21, 2024 Discussed in #181 · 1 comment
Labels
new-audit New audits

Comments

@woodruffw
Copy link
Owner

Discussed in #181

Originally posted by AndrewMohawk November 19, 2024
Loving the tool so far! I'd love to have zizmor also determine secrets referenced outside of environments within GH actions. I see it fairly often and it means that if anyone has the ability to create a PR with an updated workflow they can exfil secrets that arent tied to an environment (and that environment having branch protections). The caveat here is that an attacker would have had to submit a PR before the malicious one (usually you would see them as doing typo fixes first).

@woodruffw woodruffw added the new-audit New audits label Nov 21, 2024
@woodruffw
Copy link
Owner Author

Additional context in #181; this is something we could do, but requires a more privileged GH_TOKEN than is typical. So some thought needs to go into how we expose this/warn users when it's being skipped due to insufficient permissions.

@woodruffw woodruffw mentioned this issue Nov 24, 2024
Open
27 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new-audit New audits
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@woodruffw