Skip to content

Set persist-credentials to false#37

Open
liviuconcioiu wants to merge 1 commit into
phpmyadmin:masterfrom
liviuconcioiu:actions
Open

Set persist-credentials to false#37
liviuconcioiu wants to merge 1 commit into
phpmyadmin:masterfrom
liviuconcioiu:actions

Conversation

@liviuconcioiu

Copy link
Copy Markdown
Contributor

@williamdes I've got this check from Aikido when updating actions/checkout on device-detector:

GitHub Action actions/checkout persist Git credentials in workflow - low severity

actions/checkout v2 and above persist the default GITHUB_TOKEN in the repository's local git config when persist-credentials is not set to false, during the workflow run. Subsequent workflow steps or third-party actions can read this token from git configuration, increasing the risk of credential theft or misuse within the pipeline. In order to limit the attack surface when external actions are compromised, ensure persist-credentials is set to false.

Show fix

Remediation: Set persist-credentials: false on actions/checkout steps that do not need to push commits back to the repository. Only keep persist-credentials: true when the workflow explicitly performs authenticated git push operations.

I considered to also fix here.

Signed-off-by: Liviu-Mihail Concioiu <liviu.concioiu@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant