GitHub Actions automatically redacts secrets from logs to prevent accidental exposure. However, when structured data stored as secrets is parsed using functions like fromJSON(), the parsed values are no longer recognized as secrets by the automatic redaction mechanism. This can lead to sensitive information being exposed in workflow logs.

Ask Yourself Whether

The structured data contains sensitive information that should not be exposed in logs.
The parsed values from the structured data are used in contexts where they might be printed to logs.
There are no additional safeguards in place to prevent the exposure of these parsed values.

There is a risk if you answer yes to all of these questions.

Recommended Secure Coding Practices

Avoid parsing structured data stored as secrets when the individual values need to remain secret.
Store individual secrets separately instead of embedding them in structured data.
If structured data must be used, ensure that any operations involving the parsed values are performed in environments where logging is controlled.
Use intermediate variables with care and avoid echoing or printing variables that contain parsed secret values.

Sensitive Code Example

name: Example

on:
  pull_request:

jobs:
  main:
    runs-on: ubuntu-latest

    steps:
      - name: Example Step
        env:
          SECRET: ${{ fromJSON(secrets.JSON_SECRET).SECRET_IN_JSON }} # Sensitive
        run: |
          example-command "$SECRET"

Compliant Solution

The example below is compliant because the secret is not parsed from structured data.

name: Example

on:
  pull_request:

jobs:
  main:
    runs-on: ubuntu-latest

    steps:
      - name: Example Step
        env:
          SECRET: ${{ secrets.SECRET }}
        run: |
          example-command "$SECRET"

See

GitHub Docs - Using secrets in GitHub Actions
GitHub Docs - Automatically redacted secrets

Ask Yourself Whether

Recommended Secure Coding Practices

Sensitive Code Example

Compliant Solution

See

See Also