← all rules

iac/actions/gha-hardcoded-secret-env

Hardcoded secret in workflow env

highGitHub Actionsiac-actions

What it detects

A secret-named workflow/step `env:` value is set to a literal instead of a `${{ secrets.* }}` reference. Anything committed here lands in the repo history and the build logs, and is visible to every fork PR run.

Remediation

Store the value as a repository/organization Actions secret and reference it as `${{ secrets.NAME }}`. Rotate any value already committed.

How it runs

Run against `.github/workflows/*.yml` files. Targets the published patterns behind real-world breaches (GhostAction, s1ngularity, tj-actions/changed-files).

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.