Skip to main content
FieldValue
CategoryCICD-SEC-6
SeverityHIGH (toJSON) / MEDIUM (workflow env)
ConfidenceHIGH
OWASPCICD-SEC-6: Insufficient Credential Hygiene
Auto-fix

What the check does

Flags two over-exposure patterns:
  • ${{ toJSON(secrets) }} — serializes every repository and organization secret into a single value (HIGH).
  • Workflow-level env: bound to a secret — the value is readable by every step of every job, far wider than the one step that needs it (MEDIUM).

Why it matters

The blast radius of a credential leak is set by how widely the credential is provisioned. toJSON(secrets) means one injection, one careless echo, or one compromised action can exfiltrate the entire secret store at once. A workflow-level secret env var is present in every step, including third-party actions you don’t control.
env:
  DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}   # ← visible to every step of every job
jobs:
  a:
    steps:
      - run: echo '${{ toJSON(secrets) }}'    # ← dumps ALL secrets

Safe alternative

Bind each secret at the narrowest scope that needs it, and reference secrets individually:
jobs:
  deploy:
    steps:
      - run: ./deploy.sh
        env:
          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}   # ← only this step