GitHub Actions workflows should handle secrets securely by passing them through environment variables rather than directly expanding them in run commands. When secrets are expanded directly in run commands using GitHub’s expression syntax (${{ secrets.SECRET_NAME }}), they may be exposed in process lists, shell history, or files.

This practice increases the risk of accidental secret exposure, as command-line arguments and process information can be visible to other processes running on the same system.

Ask Yourself Whether

• The secret values are being passed directly as command-line arguments.
• The workflow runs on shared or multi-tenant infrastructure where process lists might be visible.
• Shell history or command logging is enabled on the runner environment.

There is a risk if you answer yes to any of the above questions.

Recommended Secure Coding Practices

Pass secrets to steps through environment variables instead of command-line arguments.

Sensitive Code Example

name: Example

on:
  pull_request:

jobs:
  main:
    steps:
      - name: example
        run: |
          example-command "${{ secrets.EXAMPLE_SECRET }}" # Sensitive

Compliant Solution

name: Example

on:
  pull_request:

jobs:
  main:
    steps:
      - name: example
        env:
          SECRET: ${{ secrets.EXAMPLE_SECRET }}
        run: |
          example-command "$SECRET"

See

• GitHub Docs - Using secrets in GitHub Actions
• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP - Top 10 2021 Category A1 - Broken Access Control
• CWE - CWE-532 - Insertion of Sensitive Information into Log File
• CWE - CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory