chore: applly image scan#26
Conversation
muhammad-tahir-nawaz
temporarily deployed
to
development
GitHub Actions
Inactive
Greptile SummaryThis PR adds an
Confidence Score: 3/5The change introduces a mechanism for passing credentials to Go tests via GitHub artifact download, which writes secrets to disk as plaintext rather than using GitHub's masked secret injection — needs rethinking before merge. Two related issues exist in the new code path: credentials (AUTH0_* and similar) are stored in GitHub artifacts where they persist in plaintext for up to 90 days and are accessible to all repository members with read access; and the download step writes those credentials as a file on the runner's filesystem, bypassing the masking guarantees that GitHub Secrets provide. The rest of the workflow (Trivy scan, Go test invocation, existing input parameters) is unchanged and correct. .github/workflows/trivy-go-tests.yaml — specifically the new
|
| Filename | Overview |
|---|---|
| .github/workflows/trivy-go-tests.yaml | Adds env_artifact_name input and a download step to inject a .env file (containing AUTH0_* and similar credentials) before Go tests run — but passes secrets via plaintext artifacts instead of GitHub Secrets, which undermines the security model. |
Sequence Diagram
%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Caller as Calling Workflow
participant Runner as ubuntu-latest Runner
participant Trivy as aquasecurity/trivy-action
participant ArtifactStore as GitHub Artifact Store
participant GoTest as go test
Caller->>Runner: "workflow_call (run_go_tests=true, env_artifact_name=name)"
Runner->>Runner: Checkout Code
Runner->>Runner: Set up Go (configure GOPRIVATE)
Runner->>Runner: go mod download and tidy
Runner->>Trivy: fs scan (CRITICAL,HIGH,MEDIUM,LOW)
Trivy-->>Runner: exit 1 on findings / 0 on clean
Runner->>ArtifactStore: "download-artifact@v4 (name=env_artifact_name)"
Note over ArtifactStore,Runner: .env written to disk as plaintext, accessible to all repo collaborators
ArtifactStore-->>Runner: .env file to working_directory
Runner->>GoTest: go test -v ./tests/...
GoTest-->>Runner: results
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Caller as Calling Workflow
participant Runner as ubuntu-latest Runner
participant Trivy as aquasecurity/trivy-action
participant ArtifactStore as GitHub Artifact Store
participant GoTest as go test
Caller->>Runner: "workflow_call (run_go_tests=true, env_artifact_name=name)"
Runner->>Runner: Checkout Code
Runner->>Runner: Set up Go (configure GOPRIVATE)
Runner->>Runner: go mod download and tidy
Runner->>Trivy: fs scan (CRITICAL,HIGH,MEDIUM,LOW)
Trivy-->>Runner: exit 1 on findings / 0 on clean
Runner->>ArtifactStore: "download-artifact@v4 (name=env_artifact_name)"
Note over ArtifactStore,Runner: .env written to disk as plaintext, accessible to all repo collaborators
ArtifactStore-->>Runner: .env file to working_directory
Runner->>GoTest: go test -v ./tests/...
GoTest-->>Runner: results
Reviews (1): Last reviewed commit: "chore: applly image scan" | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| env_artifact_name: | ||
| description: 'Name of an uploaded .env artifact to download into the working directory before running tests (leave empty to skip). Used to provide runtime env vars (e.g. AUTH0_*) that the app reads at init.' | ||
| required: false | ||
| default: '' | ||
| type: string |
There was a problem hiding this comment.
The description explicitly calls out AUTH0_* credentials as the intended content of this artifact. GitHub artifacts are stored in plaintext, are accessible to every repository collaborator with read access, and are retained for up to 90 days (or whatever the org-level retention is set to). This means sensitive credentials that should be short-lived and access-controlled are effectively persisted as a downloadable bundle for months.
The recommended pattern is to add those values as GitHub Actions Secrets (or organisation/environment secrets) and pass them to the reusable workflow via the secrets: block, where they are masked in logs, never stored to disk, and subject to proper access controls. Using an artifact as a secrets transport side-steps all of those protections.
| - name: Download .env artifact | ||
| if: ${{ inputs.run_go_tests && inputs.env_artifact_name != '' }} | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: ${{ inputs.env_artifact_name }} | ||
| path: ${{ inputs.working_directory }} |
There was a problem hiding this comment.
.env file downloaded after Trivy scan; secrets land on disk unmasked
The artifact is downloaded after Trivy completes, so it won't be present during the filesystem scan — which is probably intentional. However, actions/download-artifact@v4 writes the file to disk as plaintext inside ${{ inputs.working_directory }}. If any subsequent step (or a debug step added later) runs cat .env or if the file is accidentally archived, its contents will appear in the log unmasked. GitHub Secrets are masked everywhere they appear; artifact-sourced credentials are not.
Consider sourcing these values exclusively from GitHub Secrets and injecting them as environment variables on the Run Go Unit Tests step via its env: block, eliminating the need to write them to disk at all.
1 participant
Summary
Why
QA Report
Integration Tests
Added
Edited
Dependencies