Ensure GitHub Actions secrets are encrypted

Error: GitHub Actions Environment Secrets are not encrypted
Bridgecrew Policy ID: BC_REPO_GITHUB_TF_6
Checkov Check ID: CKV_GIT_4
Severity: HIGH

GitHub Actions Environment Secrets are not encrypted

Description

In the GitHub Terraform provider, there is an optional field to include a plaintext string of the secret. If this is checked into code, it will expose the secret.

Fix - Buildtime

Terraform

  • Resource: github_actions_environment_secret, github_actions_organization_secret, github_actions_secret
  • Attribute: vulnerability_alerts
resource "github_actions_environment_secret" "test_secret" {
...
-  plaintext_value  = "example%value"
}