| Field | Value |
|---|---|
| Category | CICD-SEC-6 |
| Severity | HIGH (toJSON) / MEDIUM (workflow env) |
| Confidence | HIGH |
| OWASP | CICD-SEC-6: Insufficient Credential Hygiene |
| Auto-fix | ✗ |
What the check does
Flags two over-exposure patterns:${{ toJSON(secrets) }}— serializes every repository and organization secret into a single value (HIGH).- Workflow-level
env:bound to a secret — the value is readable by every step of every job, far wider than the one step that needs it (MEDIUM).
Why it matters
The blast radius of a credential leak is set by how widely the credential is provisioned.toJSON(secrets) means one injection, one careless echo, or one
compromised action can exfiltrate the entire secret store at once. A
workflow-level secret env var is present in every step, including third-party
actions you don’t control.