Skip to main content

GA-L011: Credentials leak

Error Security

Why This Matters

Container or service credentials (username/password) are hardcoded in the workflow file. This exposes secrets in version control and CI logs. Use encrypted secrets instead.

How to Fix

Move credentials to GitHub secrets.

Before (incorrect)

services:
  db:
    image: postgres
    credentials:
      username: admin
      password: pass123

After (correct)

services:
  db:
    image: postgres
    credentials:
      username: ${{ secrets.DB_USER }}
      password: ${{ secrets.DB_PASS }}

Rule Details

Rule Code
GA-L011
Severity
Error
Category
Security

Related Rules

GA-L013 Error

Permissions error
GA-C001 Warning

Unpinned action version
GA-C002 Warning

Mutable action tag
GA-C003 Warning

Overly permissive permissions
GA-C005 Warning

Script injection risk