Exposure of Sensitive Information to an Unauthorized Actor
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Sensitive information in GitHub Actions workflows may be exposed if the ‘add-mask’ command is not reliably used or if workflow command processing is stopped, causing secrets to appear in logs. Attackers can exploit this by disabling masking, leading to unintended secret disclosure.
Impact#
If exploited, secret tokens or other sensitive data could be leaked in public or shared workflow logs, allowing attackers to access protected resources, compromise accounts, or escalate their privileges within your organization.