GA-C007: Hardcoded secret
Warning Security
Why This Matters
Hardcoded API keys, tokens, and passwords in workflow files are visible to anyone with repository read access and persist in git history. Use `${{ secrets.MY_TOKEN }}` to reference secrets securely from the repository or organization settings.
How to Fix
Use `${{ secrets.MY_TOKEN }}` instead of hardcoded values
Before (incorrect)
env:
TOKEN: ghp_abc123...After (correct)
env:
TOKEN: ${{ secrets.MY_TOKEN }}Rule Details
- Rule Code
- GA-C007
- Severity
- Warning
- Category
- Security