Search code examples
yamlgithub-actionsworkflowaws-secrets-manager

Github Secrets are not really secured, how to secure secrets permanently

I don't know why Github secrets are really called secrets, because it can be printed out by any person working in organization with push access, i.e. they create branch use below trick to print secret and then delete the branch, and with snap of fingers any employee can take out secrets.

If there is optimal solution, kindly guide me to permanently secure my github action secrets.

 steps:
      - name: 'Checkout'
        uses: actions/checkout@master
      - name: 'Print secrets'
        run: |
            echo ${{ secrets.SOME_SECRET }} | sed 's/./& /g'
Solution

  • First off, GitHub has an article on Security hardening for actions, which contains some general recommendations.

    In general, you want to distinguish between public and internal/private repositories.

    Most of my following answer is on internal/private repositories, but if you're concerned about public repositories: Keep in mind that actions are not run on PRs from third parties until they are approved.

    For internal/private repositories, you're going to have to trust your colleagues with some secrets. Going through the hassle of guarding all secrets to the extent that they can't be "extracted" by a colleagues is probably not worth the effort. And at that point, you probably also have to ask yourself what damage a malicious employee could do even without knowing these secrets (perhaps they have inside knowledge of your business, they work in IT so they might be able to put your services offline, etc). So you're going to have to trust them to some extent.

    Some measures to limit the damage a malicious colleague could do:

    Environment Secrets

    You can create a secret for an environment and protect the environment.

    For example, assume you want to prevent colleagues from taking your production secrets and deploy from their computers instead of going through GitHub actions.

    You could create a job like the following:

    jobs:
  prod:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - run: ./deploy.sh --keys ${{ secrets.PROD_SECRET }}

    Steps:

    • Configure the secret PROD_SECRET as an environment secret for production
    • Create the environment production and setup protection rules
      • If you really want to be sure nobody does something you don't like, you can set yourself as a reviewer and then manually approve every deployment

    Codeowners

    You could use codeowners and protect the files in .github/workflows. more about codeowners

    OIDC and reusable workflows

    If you're deploying to some cloud environment, you should probably use OpenID Connect. That, combined with reusable workflows, can give you an additional layer of security: You can specify which workflow is allowed to deploy to production.