Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

FieldValue
CategoryCICD-SEC-6
SeverityHIGH
OWASPCICD-SEC-6: Insufficient Credential Hygiene
Auto-fixpartial (what it does)

What the check does

Two detection paths: 1. Suspicious env: keys with literal values. Any environment variable whose name contains one of token, password, secret, key, webhook, passwd, credential and whose value is a literal (not ${{ secrets.* }} / ${{ ... }}). Checked at workflow, job, and step scope. 2. Pattern-matched literals in run: scripts. Regex matches for:
PatternExample
GitHub PATghp_[A-Za-z0-9]{36}
Slack bot tokenxoxb-...
AWS access keyAKIA[0-9A-Z]{16}
Generic var := "..."token := "abcdef1234567890abcdef"

Why it matters

Hardcoded credentials end up in git history, build logs, action audit logs, and anywhere the workflow file gets mirrored. Rotating them after a leak is painful; preventing the leak is cheaper.

Vulnerable examples

Env var with literal: 
jobs:
  deploy:
    env:
      API_TOKEN: "ghp_1234567890abcdefghijklmnopqrstuvwxyz1"   # ← hardcoded
Token in inline script: 
- run: |
    curl -H "Authorization: token ghp_1234567890abcdefghijklmnopqrstuvwxyz1" \
      https://api.example.com

Safe alternative

Store the value in GitHub Secrets (or org/environment secrets) and reference it via expression: 
jobs:
  deploy:
    env:
      API_TOKEN: ${{ secrets.API_TOKEN }}
    steps:
      - run: |
          curl -H "Authorization: token $API_TOKEN" https://api.example.com

Auto-fix

--fix rewrites the env-var case only. The literal value is replaced with ${{ secrets.<KEY_UPPER> }} — e.g. API_TOKEN: "ghp_..." becomes API_TOKEN: ${{ secrets.API_TOKEN }}. You still need to create the matching secret in GitHub.
Hardcoded credentials inside run: scripts are flagged but not auto-fixed — the rewrite is too risky (where does the secret come from? how is the surrounding command structured?). Review and lift manually.