Skip to content

chore: applly image scan #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
muhammad-tahir-nawaz merged 1 commit into from
Jun 16, 2026
Merged

chore: applly image scan #26

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/workflows/trivy-go-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ on:
required: false
default: './tests/...'
type: string
env_artifact_name:
description: 'Name of an uploaded .env artifact to download into the working directory before running tests (leave empty to skip). Used to provide runtime env vars (e.g. AUTH0_*) that the app reads at init.'
required: false
default: ''
type: string
Comment on lines +21 to +25

@greptile-apps greptile-apps Bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Secrets distributed via artifacts, not GitHub Secrets

The description explicitly calls out AUTH0_* credentials as the intended content of this artifact. GitHub artifacts are stored in plaintext, are accessible to every repository collaborator with read access, and are retained for up to 90 days (or whatever the org-level retention is set to). This means sensitive credentials that should be short-lived and access-controlled are effectively persisted as a downloadable bundle for months.

The recommended pattern is to add those values as GitHub Actions Secrets (or organisation/environment secrets) and pass them to the reusable workflow via the secrets: block, where they are masked in logs, never stored to disk, and subject to proper access controls. Using an artifact as a secrets transport side-steps all of those protections.

secrets:
GH_ACCESS_TOKEN:
description: 'GitHub access token for private repo access (required only if run_go_tests is true)'
Expand Down Expand Up @@ -69,6 +74,13 @@ jobs:
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
exit-code: '1'

- name: Download .env artifact
if: ${{ inputs.run_go_tests && inputs.env_artifact_name != '' }}
uses: actions/download-artifact@v4
with:
name: ${{ inputs.env_artifact_name }}
path: ${{ inputs.working_directory }}
Comment on lines +77 to +82

@greptile-apps greptile-apps Bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security .env file downloaded after Trivy scan; secrets land on disk unmasked

The artifact is downloaded after Trivy completes, so it won't be present during the filesystem scan — which is probably intentional. However, actions/download-artifact@v4 writes the file to disk as plaintext inside ${{ inputs.working_directory }}. If any subsequent step (or a debug step added later) runs cat .env or if the file is accidentally archived, its contents will appear in the log unmasked. GitHub Secrets are masked everywhere they appear; artifact-sourced credentials are not.

Consider sourcing these values exclusively from GitHub Secrets and injecting them as environment variables on the Run Go Unit Tests step via its env: block, eliminating the need to write them to disk at all.


- name: Run Go Unit Tests
if: ${{ inputs.run_go_tests }}
working-directory: ${{ inputs.working_directory }}
Expand Down
Loading