There are several measures that can be taken to safeguard GitHub secrets within pull request actions from malevolent pull requests:
Limit Access: Limit access to secrets to only the necessary personnel or trusted contributors.
Use Encrypted Secrets: Use encrypted secrets in the file system rather than plaintext, so that they cannot be accessed easily even if someone gains access to the repository.
Use Contexts: Use contexts to limit access to secrets based on the type of action that is being performed.
Third Party Integrations: Use third-party integrations with tools like GitHub Actions, TravisCI or CircleCI that provide built-in encryption and a secure environment for running actions.
Review Pull Requests Carefully: Review pull requests thoroughly before merging them, including checking for any changes that may affect secrets.
Audit Trail: Maintain an audit trail of all access to secrets by creating logs, alerts or notifications when any access or modification is made.
Strong Passwords: Use strong passwords and two-factor authentication to protect against credential-stuffing attacks.
Employ Mitigation Strategies: Employ mitigation strategies, such as revoking access to secrets, or regenerating secret keys immediately if an unauthorized access is detected.
Keep Secrets outside the source code: Keep secrets outside the source code, such as using a secret management service like AWS Secrets Manager or HashiCorp Vault.
Asked: 2022-02-08 11:00:00 +0000
Seen: 10 times
Last updated: Nov 29 '21