Skip to main content
FieldValue
CategoryCICD-SEC-7
SeverityHIGH
OWASPCICD-SEC-7: Insecure System Configuration
Auto-fix✓ (what it does)

What the check does

Flags any env: block (workflow, job, or step level) that sets either of:
  • ACTIONS_STEP_DEBUG
  • ACTIONS_RUNNER_DEBUG
…to a truthy value (true, 1, yes, on, case-insensitive).

Why it matters

These environment variables turn on the debug-logging knobs GitHub designed for interactive troubleshooting. When enabled:
  • The runner prints the value of every environment variable at step boundaries.
  • Internal action logs ordinarily filtered to “info” are emitted at “debug” — and many third-party actions log secret-derived values at debug level on the assumption no-one will see them.
  • Secret masking sometimes fails on transformed values (e.g. a base64-encoded secret, or one passed through jq).
Anyone with read access to workflow logs (including PR-fork contributors, if the workflow runs on pull_request) can read those logs. GitHub provides a “Re-run with debug logging” button for genuine troubleshooting — debug logging committed to a workflow file is almost always a forgotten git commit -a from a debugging session.

Vulnerable example

env:
  ACTIONS_STEP_DEBUG: true        # ← exposes secret-derived values in logs

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: ./build.sh

Safe alternative

Remove the env entry. When you need debug logs, re-run the workflow with debug enabled from the GitHub UI: Actions → failed run → Re-run jobs → check Enable debug logging. The toggle applies to that single re-run and isn’t persisted. For deeper instrumentation that you do want to keep, structure your scripts to emit explicit logs at ::notice:: / ::warning:: / ::error:: levels, which integrate cleanly with the run summary without dumping the entire environment.

Auto-fix

--fix deletes the ACTIONS_STEP_DEBUG / ACTIONS_RUNNER_DEBUG entry from whichever env: block (workflow, job, or step) contains it. Sibling env entries in the same block are preserved. If the env block ends up empty, it’s left in place — yaml.v3 emits env: {} which the runner accepts.