Alex Aslam

Posted on May 1

Lock Down GitHub Actions: Block Secrets Leaks & Malicious Code

#webdev #programming #javascript #automation

Hey friends! 👋 Let’s talk about something we all dread: accidentally leaking your AWS keys on Twitter because of a sneaky GitHub Actions misstep. Or worse—letting a stranger run malicious code in your CI/CD pipeline. 😱

GitHub Actions is incredible for automation, but like any powerful tool, it can backfire if used carelessly. The good news? With a few simple tweaks, you can lock down your workflows like a cybersecurity ninja. Let’s dive in.

The Two Biggest GitHub Actions Risks (And How to Dodge Them)

1. Secrets Leaks: When Your API Keys Go Rogue

The horror story:

You hardcoded a Slack token in a workflow file. A new contributor submits a PR, and suddenly your token is exposed in the logs. Cue panic.

How to Fix It:

Never Hardcode Secrets (yes, even in private repos).
Use GitHub Secrets:
1. Go to your repo Settings > Secrets > Actions.
2. Add secrets (e.g., AWS_ACCESS_KEY).
3. Reference them safely in workflows:

  - name: Deploy to Cloud  
    env:  
      AWS_KEY: ${{ secrets.AWS_ACCESS_KEY }}  # 🔒 Invisible in logs!  
    run: ./deploy.sh

Mask Logs: Add || true to commands to prevent accidental leaks:

  run: echo "Token: ${{ secrets.TOKEN }}" || true

2. Malicious Triggers: When Strangers Run Code in Your Pipeline

The nightmare scenario:

A malicious PR from a fork triggers a workflow that mines Bitcoin on your runners. 💸

How to Fix It:

Restrict Workflow Triggers:

  on:  
    pull_request:  
      branches: [ main ]  # Only allow PRs from main branch  
    # Avoid `pull_request_target` unless you’re 100% sure!

Limit Permissions:

  permissions:  
    actions: read  # Don’t let workflows approve PRs or create tokens  
    contents: read

Require Manual Approval for External PRs:

  on:  
    pull_request_target:  
      types: [opened, reopened]  
  jobs:  
    build:  
      if: github.event.pull_request.head.repo.full_name == github.repository  
      # Only run if PR is from your repo, not a fork

Pro Tips to Sleep Soundly at Night

Audit Your Workflows:
- Use GitHub’s Security > Code Scanning to find exposed secrets.
- Review pull_request_target usage—it’s a common attack vector.
Use Environments for Production Deploys:

Add approval gates and restrict secrets to specific environments:

   jobs:  
     deploy:  
       environment: production  
       runs-on: ubuntu-latest  
       steps:  
         - uses: actions/checkout@v4

Rotate Secrets Regularly:

Treat secrets like milk—expire them before they go bad.
Monitor Runner Activity:

Check Actions > Runners for suspicious jobs (e.g., unknown users or odd timestamps).

Real-World Example: How a Startup Dodged Disaster

A dev team once used a public GitHub Action from an unverified creator. Turns out, the action had a hidden script that exported their secrets to a shady server. 😬

Their fix:

Only use verified or official actions (look for the ✔️ badge).
Pin actions to a full commit SHA (not just @v1):

  uses: actions/checkout@dcd71f0 # Specific SHA = no surprises

“But What If I Mess Up?” (Damage Control)

Revoke Leaked Secrets Immediately: Rotate keys, tokens, and passwords.
Purge Git History: Use git filter-repo to erase secrets from commits.
Enable Read-Only Permissions: Restrict contributors until you’re secure.

Your GitHub Actions Security Checklist

[ ] Replace hardcoded secrets with GitHub Secrets.
[ ] Add permissions blocks to limit workflow access.
[ ] Avoid pull_request_target unless absolutely necessary.
[ ] Use environments for production deploys.
[ ] Audit third-party actions (SHA pinning FTW!).

Final Thought: Automation Shouldn’t Mean Compromise

GitHub Actions is a game-changer, but security is your responsibility. Treat your workflows like a fortress—gatekeep those secrets, vet your triggers, and always double-check third-party code.

Now go forth and automate safely! 🛡️

Need help? Drop a comment below—we’ve all been there. 🚀

DEV Community