Ensure plaintext value is not used for GitHub Action Environment Secret.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | actions |
| Provider | GitHub |
| Vulnerability Type | misconfiguration |
Description#
Storing sensitive secrets in the plaintext_value field of the github_actions_environment_secret resource exposes unencrypted credentials in Terraform code and state files, making them easily accessible. This practice fails to protect secrets and bypasses recommended encryption mechanisms.
Impact#
If exploited, attackers with access to the codebase or state files can obtain sensitive secrets, potentially compromising GitHub Actions workflows, leaking credentials, or enabling unauthorized access to critical systems and data.
Resolution#
Do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable.