CICD as a Code created whole new challenges. Security is among them.
Right now "Send secrets to workflows from fork pull requests. " is checked by default. With third-party fork and change in “.github/worflow” files to dump secrets in console it is so easy to steal secrets. Moreover, with PR and fork removal any trace of this activity is gone.
This is serious vulnerability. Here are the proposals (by priority and ease of implement)
- Make "Send secrets to workflows from fork pull requests. " be unchecked by default
- Do not allow to change “.github/worflow” files from forks. Forks are rarely changing CICD. If they want to change it, they will have to use issues or other ways to communicate this change
- Mask secrets anywhere anytime. There are still plenty of shell script that allow to dump secrets, pass them from step to step unmasked, etc