-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Token exposed in output of greenkeeper-lockfile-upload #87
Comments
Just noticed this. It's a very serious security issue. GitHub tokens have a wide permission scope. Ideally this project should use deploy tokens instead since they are restricted to pushing to the specific repo. Until this is addressed I will have to redirect all output to /dev/null |
I looked into this more. Seems like deploy keys are supported but undocumented:
I've updated my CI configs to use deploy keys. I think deploy keys should be recommended over tokens, and if using tokens the output should be redirected to hide it. |
Any update on this? |
@Realtin this is a fairly significant security issue, any chance someone can take a look at this? (And ideally document that Deploy Keys are also supported?) |
Sorry for the late reply here. Since this was undocumented behaviour, we didn’t catch this in time. I’ve pushed a branch that should address this. Would you fine folks here be able to to give it a spin & review? Thanks a lot! |
Is this still an open issue? |
I am not sure if this is intended
See "Upload greenkeeper-lockfile" step in anishkny/realworld-e2e-test/39
The text was updated successfully, but these errors were encountered: