There are several measures that can be taken to safeguard GitHub secrets within pull request actions from malevolent pull requests:
Limit Access: Limit access to secrets to only the necessary personnel or trusted contributors.
Use Encrypted Secrets: Use encrypted secrets in the file system rather than plaintext, so that they cannot be accessed easily even if someone gains access to the repository.
Use Contexts: Use contexts to limit access to secrets based on the type of action that is being performed.
Third Party Integrations: Use third-party integrations with tools like GitHub Actions, TravisCI or CircleCI that provide built-in encryption and a secure environment for running actions.
Review Pull Requests Carefully: Review pull requests thoroughly before merging them, including checking for any changes that may affect secrets.
Audit Trail: Maintain an audit trail of all access to secrets by creating logs, alerts or notifications when any access or modification is made.
Strong Passwords: Use strong passwords and two-factor authentication to protect against credential-stuffing attacks.
Employ Mitigation Strategies: Employ mitigation strategies, such as revoking access to secrets, or regenerating secret keys immediately if an unauthorized access is detected.
Keep Secrets outside the source code: Keep secrets outside the source code, such as using a secret management service like AWS Secrets Manager or HashiCorp Vault.
Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss
Asked: 2022-02-08 11:00:00 +0000
Seen: 10 times
Last updated: Nov 29 '21
What are the Cordapp Certificates used for in terms of signing and interacting?
How can SSL be used with CqlSessionFactoryBean in Springboot Cassandra?
How do I resolve a 502 error when attempting to call an HTTPS REST API from an HTTP REST API?
How can SSM parameters be accessed across multiple accounts?
How can compile-time errors be used to limit the possible permutations of a struct in Rust?
How can the SSL certificate verify error in Python be expressed differently?
What steps can I take to resolve the issue caused by GitHub's certificate/key change?
What causes my Rust program to perform differently based on the specific optimization level used?