Consider removing AWS_ACCESS_KEY_ID from mirror workflow #1992

udondan · 2022-07-05T07:08:21Z

In the file /master/.github/workflows/mirror.yml#L25 you expose your AWS_ACCESS_KEY_ID.

Apart from the fact that this might be a security concern, this is causing problems on user end when scanning with security tools. For example the popular vulnerability scanner Trivy is raising a critical error.

Would be great if you could move the value to a github secret, just like the AWS_SECRET_ACCESS_KEY.

The text was updated successfully, but these errors were encountered:

mislav · 2022-07-06T11:12:10Z

Thanks for raising this issue. I won't, however, move this to a secret just because a vulnerability tool considers this a critical error:

The key is already in git. Moving it to a "secret" does not obfuscate it in any way since it doesn't remove it from git history;
Knowing someone's access key ID can cause no damage, and is in fact no vulnerability in it of itself.

You could try configuring your scanner so it doesn't consider this a critical error.

mislav · 2023-03-10T15:25:38Z

Update: the AWS access key is now gone from version control

udondan added the bug label Jul 5, 2022

mislav closed this as completed Jul 6, 2022

mislav mentioned this issue Mar 10, 2023

Remove AWS access key ID from version control #2163

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Consider removing AWS_ACCESS_KEY_ID from mirror workflow #1992

Consider removing AWS_ACCESS_KEY_ID from mirror workflow #1992

udondan commented Jul 5, 2022

mislav commented Jul 6, 2022

mislav commented Mar 10, 2023

Consider removing AWS_ACCESS_KEY_ID from mirror workflow #1992

Consider removing AWS_ACCESS_KEY_ID from mirror workflow #1992

Comments

udondan commented Jul 5, 2022

mislav commented Jul 6, 2022

mislav commented Mar 10, 2023