Summary

We should only pass those secrets that are needed by the workflow and avoid using dynamically accessed secrets such as secrets[format('GH_PAT_%s', matrix.env)] since the workflow will need to receive all secrets to decide at runtime which one needs to be used.

This is a medium CodeQL finding:

• https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/195
• https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/194
• https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/193
• https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/192
• https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/191

Why is this needed?

When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow.

Which area does this relate to?

Automation

Solution

strategy:
  matrix:
    env: [PROD, DEV]
---
if: matrix.env == "PROD"
env:
  GH_TOKEN: ${{ secrets.GH_PAT_PROD }}
---
if: matrix.env == "DEV"
env:
  GH_TOKEN: ${{ secrets.GH_PAT_DEV }}

Acknowledgment

• This request meets Powertools for AWS Lambda (TypeScript) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Python, Java, and .NET

Future readers

Please react with 👍 and your use case to help us understand customer demand.