For a public repository, in github actions, assume my action runs on a compute in azure. I am confused on how i can protect the azure auth details if the CI pipeline has to run in azure.
Lets say to use this action, i have to use a secret and i set an environment variable's value to be the secret - have I not lost the point of having a secret? A malicious user can send a PR that prints the value of the environment variable :
user_password: {{secret.USER_PASSWORD}}
User code:
print(os.environment['user_password'])
The malicious user does not have to guess since the workflow is public and he knows which env var has the secret.
Where am i wrong?
GitHub, like other CI providers, redacts most secrets from the logs. It considers a variety of formats and tries to scrub them. However, in general, you should be careful to avoid printing them to the logs because no system is foolproof and not every possible encoding can be considered.
If you're worried about forked repositories trying to access your secrets, they can't; that's specifically not allowed for the reason you describe. So if someone opens a PR against your repository, they won't be able to access the secrets unless the branch is in your repository (in which case, don't grant that person write access to your repo). It's presumed that you'll perform basic code review to catch any malicious code before merging, so a bad actor won't be able to run any code with the secrets for your repository.
In general, though, using environment variables as a way to pass secrets to programs is a best practice, assuming the running system and programs are trusted. Other users on the system cannot see the environment, and in a CI system the system and programs are assumed to be trusted.
Related
I'm setting up a self-hosted github runner on a k8s cluster. The runner deployment requires that I supply it a token so that it can link to the proper repository/github account.
There are a lot of examples that I've seen that use a Personal Access Token as a secret resource. It seems like bad practice to use a single user's PAT for what should be a service account token. I am wondering if there are recommended way to use a repository or organization-level token stored as a secret.
Possibly the GITHUB_TOKEN, but this seems too transient as it appears to expire following the completion of a workflow.
Curious about best practices in this case.
You can create a registration token for an organization following this doc.
From this doc Github recommends that you only use self-hosted runners with private repositories. This is because forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.
Do not store secrets in the host runner When a GitHub Action uses the self-hosted runner, it clones the code in a workdir _work.We must ensure that no secrets (application, system, ..) are accessible in this folder.
For more information follow this doc.
I have a few secrets stored in my repo and I want to access those secrets in workflow on a pull request but, I don't want to use pull_request_target because it gives write access on my repo and it leads to security risk is there anything by which, I can accomplish this task.
Github Secrets provides a way for passing credentials to Github actions, but are they safe enough to be trusted with highly sensitive credentials?
I'm not sure that anyone can really answer that for you. I think it depends how sensitive, and what level of risk you can afford to take.
What I would suggest, if you are concerned about the security of your secrets, is not to use third party GitHub actions directly. Always fork the action and use your fork in workflows. This will prevent the possibility of someone modifying an action you are using to capture secrets and send them to some external server under their control.
Secrets are encrypted environment variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows. GitHub uses a libsodium sealed box to help ensure that secrets are encrypted before they reach GitHub and remain encrypted until you use them in a workflow.
For more details see https://docs.github.com/en/actions/security-guides/encrypted-secrets
Add an additional layer of protection by adding org-level access policy and enable reviewer to control env secrets.
VSTS build definition has the option to create a secret variable. How secret is that variable? Is it safe to store the user credentials which is specific to a set of users? Can other users (who are not authorized to do it) can decrypt that variable?
I came across this article.
Assuming users have build modification access then is it possible to decrypt the variable?
Variables stored are as secure as the agent that runs the build and the integrity of your build definition.
Like you said, if a user can modify the Build Definition and has access to the secret they can pass it to a PowerShell or a Curl task etc. Or if the user can take control over a Build Task's script they can iterate all available secrets (build tasks are considered trusted by the Build System).
Consider that everyone who has write-access over the work directories of the agent can access all secrets that are available to the Build Definitions that execute on the build agent. They can change the scripts used by Build Tasks and thus gain the same level of trust. Any build that runs after this change and until a new version of the task is pushed to the agent will be compromised in this scenario. In theory can every build definition "infect" the _tasks folder of the agent as well. Best way to protect against this is to use the Hosted Pool or to regularly reset your agent's VMs.
YAML build definitions combined with Pull-Requests give you more control over the Change/approval process of build definitions.
Using a Variable Library you can reduce the number of people who can add secret variables to their Build Definition.
You must secure the Agent Pools and the Variable Libraries/Build Definitions in such ways that only limited and trusted users can access these resources. Optionally use single-use passwords that expire after a short time or temporarily grant these permissions.
Remember that all changes to Build Definitions and Variable Libraries and Scripts in the Git Repository are tracked.
The alternate ways to get access to the secrets do not apply to Azure DevOps as none have access to the Application Tier in Azure and access is strictly monitored by Microsoft.
To encrypt GitHub tokens to use them in your .travis.yml you seem to need the Travis CI CLI tool - which I can't install right now.
Therefore I didn't put the GitHub token in my .travis.yml but rather created a new environment variable GITHUB_TOKEN in the repository settings at https://travis-ci.org and use it like this:
github_token: $GITHUB_TOKEN
Now I can use the token to deploy to GitHub releases, for example.
Is this safe? Or are my environment variables in Travis CI somehow publicly accessible?
I found out by now: No, in general, they're not public. Yes, if you follow some rules, it seems perfectly safe to use them for sensitive information. To quote directly from the docs at https://docs.travis-ci.com/user/environment-variables#Defining-Variables-in-Repository-Settings about environment variables:
Define variables in the Repository Settings that (...) contain sensitive data, such as third-party credentials.
Some reasonable rules to keep in mind:
Most importantly: Hide them from the logs with the ON/OFF switch in the settings.
By default, the value of these new environment variables is hidden from the export line in the logs. This corresponds to the behavior of encrypted variables in your .travis.yml. The variables are stored encrypted in our systems, and get decrypted when the build script is generated.
Define them correctly with " if necessary.
These values are used directly in your build, so make sure to escape special characters (for bash) accordingly. In particular, if a value contains spaces, you should put quotes around that value. E.g. my secret passphrase should be written "my secret passphrase".
Also important to know: even if your environment variables are hidden in the logs, someone could still submit a pull request to your repository with malicious code and access the variable this way. Therefore, the variables are not available within builds from pull requests:
Similarly, we do not provide these values to untrusted builds, triggered by pull requests from another repository.