Open rsenden opened 9 months ago
This should have been (mostly) fixed now, but we should do another round to review whether we're correctly cleaning up all environment variables, and whether we've documented the recommendations regarding potentially sharing confidential values with non-Fortify steps through environment variables.
Some actions generate temporary environment variables containing command-line options for subsequent command invocation. These temporary variables should be cleaned up immediately after use.
Some environment variables like
_FOD_LOGIN_OPTS
contain sensitive data that is now accessible by all subsequent job steps, which potentially included untrusted actions.Somewhat related, we should document that
env:
sections containing secrets should ideally be defined at step-level, not job-level, i.e.,FOD_PASSWORD
env-var should only be available to the (scan) action being invoked, not for all (potentially non-Fortify) steps/actions being run in other steps.