Reputation: 5524
Is it safe to store credentials in github secrets?
Github Secrets provides a way for passing credentials to Github actions, but are they safe enough to be trusted with highly sensitive credentials?
Upvotes: 1
Views: 823
Answers (2)
Reputation: 11
Secrets are encrypted environment variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows. GitHub uses a libsodium sealed box to help ensure that secrets are encrypted before they reach GitHub and remain encrypted until you use them in a workflow. For more details see https://docs.github.com/en/actions/security-guides/encrypted-secrets
Add an additional layer of protection by adding org-level access policy and enable reviewer to control env secrets.
Upvotes: 0
Reputation: 41920
I'm not sure that anyone can really answer that for you. I think it depends how sensitive, and what level of risk you can afford to take.
What I would suggest, if you are concerned about the security of your secrets, is not to use third party GitHub actions directly. Always fork the action and use your fork in workflows. This will prevent the possibility of someone modifying an action you are using to capture secrets and send them to some external server under their control.
Upvotes: 3
Related Questions
- Do I need to pass each secret to my GitHub Actions workflow file?
- How to set secrets in Github Actions?
- How to use GitHub action secrets in a reusable workflow?
- usage of github organization secret in a github workflow
- How to use secrets in all repositories of a user github account?
- Is it safe to pass GitHub Secrets as an argument to a python code?
- Manage secrets in GitHub Actions
- Is it okay to use GitHub Secrets with a public repo?
- how to use secrets in github actions without revealing the secret
- Is it considered good practice to store passwords in a private Github repository?