Suspicious use of curl with secrets
Description
This policy checks for suspicious use of curl commands in GitHub Actions scripts that may expose secrets. It scans the 'run' section of the script for instances of 'curl' and 'secret' on the same line, which could indicate a potential security risk. Exposing secrets in this way can lead to unauthorized access and data breaches. It's essential to handle secrets securely to prevent such vulnerabilities.
Code Example
yaml
steps:
- name: Run script
env:
SECRET: ${{ secrets.MY_SECRET }}
run: |
curl -X POST \
-H 'Authorization: Bearer $SECRET' \
https://example.com/api/endpointRemediation
Ensure that secrets are not passed directly to curl commands in GitHub Actions scripts. Instead, use environment variables or secure methods to handle secrets.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1026 |
| Severity | MEDIUM |
| IaC Type | github_actions |
| Frameworks | jobs, jobs.*.steps[] |
| Checkov ID | CKV_GHA_3 |