aws-powertools/powertools-lambda-typescript

Maintenance: Avoid Excessive Secret Exposure through dynamically accessed secrets in workflow

sdangol opened this issue · 2 comments

sdangol commented

Summary

We should only pass those secrets that are needed by the workflow and avoid using dynamically accessed secrets such as secrets[format('GH_PAT_%s', matrix.env)] since the workflow will need to receive all secrets to decide at runtime which one needs to be used.

This is a medium CodeQL finding:

Why is this needed?

When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow.

Which area does this relate to?

Automation

Solution

strategy:
  matrix:
    env: [PROD, DEV]
---
if: matrix.env == "PROD"
env:
  GH_TOKEN: ${{ secrets.GH_PAT_PROD }}
---
if: matrix.env == "DEV"
env:
  GH_TOKEN: ${{ secrets.GH_PAT_DEV }}

Acknowledgment

Future readers

Please react with 👍 and your use case to help us understand customer demand.

powertools-for-aws-oss-automation commented

Warning

This issue is now closed. Please be mindful that future comments are hard for our team to see.
If you need more assistance, please either reopen the issue, or open a new issue referencing this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions commented

This is now released under v2.25.2 version!