Docker cli login potential security issue or not? #26826
-
Login to DockerHub in a GiHA pipeline using the Docker CLI:
The *** represent ${{ secrets.DOCKER_USER }} and ${{ secrets.DOCKER_PASSWORD }} respectively. So, I followed the warning, found the file and printed it in the console:
So here I found that the password to my Dhub account was indeed encrypted by GitHub’s Secrets module and appended to this file encrypted, unlike the warning in the log indicated. Now what I am wondering, if the password is encrypted by the Secrets module is there really a security issue with that value being appended to the My conclusion is |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 5 replies
-
aleks-ivanov:
That conclusion is unfortunately wrong, try base64-decoding that If someone could get access to the runner while your credentials are in there they could use them. It’s up to you whether you consider that an unacceptable risk. It is common practice to ensure that the credentials are deleted after use, even though the GitHub-hosted runner VMs are discarded after the job. |
Beta Was this translation helpful? Give feedback.
-
That’s what I was unsure about, thanks for clarifying. What are ways that someone could access the runner during execution, other than having access to my GH account ? |
Beta Was this translation helpful? Give feedback.
-
If you use GitHub-hosted runners, no-one should be able to access them, assuming that:
If you use self-hosted runners, it’s up to you to secure them. |
Beta Was this translation helpful? Give feedback.
-
Is there a more secure solution for allowing GitHub Workflows to push Docker images? This is basically the same solution I'm using now, and it does work. However, I'd like to switch to a better solution, and I cannot replace something with nothing. |
Beta Was this translation helpful? Give feedback.
That conclusion is unfortunately wrong, try base64-decoding that
long-string-of-random-characters
thing. 😉If someone could get access to the runner while your credentials are in there they could use them. It’s up to you whether you consider that an unacceptable risk. It is common practice to ensure that the credentials are deleted after use, even though the GitHub-hosted runner VMs are discarded after the job.