Rule: RGS-008 — Secret Directly Interpolated in run Block
Severity: High
Affected Workflows: 61 workflows (62 total instances)
Description
A $\{\{ secrets.* }} expression, $\{\{ github.token }}, or $\{\{ env.GITHUB_TOKEN }} appears directly inside a run: block's shell script rather than being passed via the env: mapping.
When secrets are interpolated directly into run: blocks, they are literally pasted into the shell script as plain text before execution. This creates multiple risks:
- The secret value becomes part of the shell script text, potentially visible in error messages, debug logs, or process listings
- If the secret value contains shell metacharacters, it can break shell syntax or cause unintended command execution
- The secret is exposed to shell history and
/proc filesystem
- Any expression injection vulnerability in the same
run: block gains direct access to the secret value
Impact
Secret exposure via side channels even when GitHub's log masking is in place. Combined with expression injection, this can lead to full secret exfiltration.
Remediation
Move secrets from inline expressions to the env: mapping:
Before (vulnerable):
- name: API Call
run: |
curl -H Authorization:
Generated by Static Analysis Report · ● 341K · ◷
Rule: RGS-008 — Secret Directly Interpolated in run Block
Severity: High
Affected Workflows: 61 workflows (62 total instances)
Description
A
$\{\{ secrets.* }}expression,$\{\{ github.token }}, or$\{\{ env.GITHUB_TOKEN }}appears directly inside arun:block's shell script rather than being passed via theenv:mapping.When secrets are interpolated directly into
run:blocks, they are literally pasted into the shell script as plain text before execution. This creates multiple risks:/procfilesystemrun:block gains direct access to the secret valueImpact
Secret exposure via side channels even when GitHub's log masking is in place. Combined with expression injection, this can lead to full secret exfiltration.
Remediation
Move secrets from inline expressions to the
env:mapping:Before (vulnerable):