Secrets should be stored explicitly as encrypted GitHub Actions Secrets

This check will report potentially sensitive data used in pipelines as variables or literals that should be store as secrets.

Developers storing sensitive data as variables instead of secrets in pipelines is a common mistake. This can lead to security breaches and data leaks. Variables are stored in plain text and can be accessed by anyone who has access to the pipeline. On the other hand, secrets are encrypted and can only be accessed by authorized users.

GitHub Actions used secrets should be stored explicitly as secrets and not variables. If stored as secrets, the secrets will appear encrypted. Variables appear in plain text.

To lower the risk of leaking secrets on the compromise of a GitHub Runner, there exists an option to store secrets in the Secrets section of GitHub Actions. When stored in the Secrets section, secrets are encrypted. If the secret is kept in the variable area, then the secret is in plaintext and has the potential to be leaked.

To avoid this mistake, developers should store sensitive data as secrets in pipelines. Secrets are encrypted and can only be accessed by authorized users.

GitHub Actions, Azure DevOps and Bitbucket handle secrets in pipelines differently. Azure Pipelines have variables (secret and in clear text) and variable groups to help you manage configurations in your pipelines, while GitHub Actions only has secrets (tied to repo or organization) and Bitbucket handle secrets only at repository or workspace level.