← all rules
iac/actions/gha-hardcoded-secret-env
Hardcoded secret in workflow env
highGitHub Actionsiac-actions
What it detects
A secret-named workflow/step `env:` value is set to a literal instead of a `${{ secrets.* }}` reference. Anything committed here lands in the repo history and the build logs, and is visible to every fork PR run.
Remediation
Store the value as a repository/organization Actions secret and reference it as `${{ secrets.NAME }}`. Rotate any value already committed.
How it runs
Run against `.github/workflows/*.yml` files. Targets the published patterns behind real-world breaches (GhostAction, s1ngularity, tj-actions/changed-files).
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.