Skip to content

Add persist-credentials: false to GitHub Actions checkout steps #10305

Description

@knqyf263

Description

The actions/checkout action stores the GITHUB_TOKEN in .git/config by default (persist-credentials: true). This means any subsequent step in the workflow can access the token, even if it doesn't need git push capabilities.

Setting persist-credentials: false on checkout steps that don't require git push reduces the attack surface by preventing credential theft through compromised dependencies or scripts.

Reference: https://github.com/goreleaser/example-secure/blob/main/.github/workflows/release.yml

Expected Behavior

All actions/checkout steps that don't need to perform git push should have persist-credentials: false set.

Steps to Address

Add persist-credentials: false to checkout steps in workflows that only read code (test, build, scan, etc.), while keeping credentials available for workflows that need to push (backport, deploy, mkdocs).

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/securityCategorizes issue or PR as related to Trivy's own security or internal vulnerabilities.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions