> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-6 — Secrets over-provisioned to the whole workflow

> toJSON(secrets) exposes every secret at once; workflow-level secret env leaks into every step.

| Field      | Value                                                                                                                                                |
| ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| Category   | `CICD-SEC-6`                                                                                                                                         |
| Severity   | **HIGH** (toJSON) / **MEDIUM** (workflow env)                                                                                                        |
| Confidence | HIGH                                                                                                                                                 |
| OWASP      | [CICD-SEC-6: Insufficient Credential Hygiene](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-06-Insufficient-Credential-Hygiene) |
| Auto-fix   | ✗                                                                                                                                                    |

## What the check does

Flags two over-exposure patterns:

* **`${{ toJSON(secrets) }}`** — serializes *every* repository and organization
  secret into a single value (HIGH).
* **Workflow-level `env:` bound to a secret** — the value is readable by every
  step of every job, far wider than the one step that needs it (MEDIUM).

## Why it matters

The blast radius of a credential leak is set by how widely the credential is
provisioned. `toJSON(secrets)` means one injection, one careless `echo`, or one
compromised action can exfiltrate the entire secret store at once. A
workflow-level secret env var is present in every step, including third-party
actions you don't control.

```yaml theme={null}
env:
  DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}   # ← visible to every step of every job
jobs:
  a:
    steps:
      - run: echo '${{ toJSON(secrets) }}'    # ← dumps ALL secrets
```

## Safe alternative

Bind each secret at the narrowest scope that needs it, and reference secrets
individually:

```yaml theme={null}
jobs:
  deploy:
    steps:
      - run: ./deploy.sh
        env:
          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}   # ← only this step
```
