Skip to content

Security Fix: Suppress false positive hardcoded credentials warnings in compiler_safe_outputs_steps.go (alerts #469, #468, #467, [Content truncated due to length]#9091

Merged
pelikhan merged 1 commit intomainfrom
security-fix-alerts-469-468-467-466-9807c005f3a13523
Jan 6, 2026
Merged

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 6, 2026

Security Fix: False Positive Hardcoded Credentials

Alert Numbers: #469, #468, #467, #466
Severity: HIGH
Rule: G101 - Potential hardcoded credentials
Confidence: LOW

Vulnerability Description

Gosec flagged four instances in pkg/workflow/compiler_safe_outputs_steps.go where strings containing GitHub Actions expression templates were mistakenly identified as hardcoded credentials:

  • Line 82: checkoutToken = "${{ steps.app-token.outputs.token }}"
  • Line 83: gitRemoteToken = "${{ steps.app-token.outputs.token }}"
  • Line 85: checkoutToken = "${{ github.token }}"
  • Line 86: gitRemoteToken = "${{ github.token }}"

These are NOT hardcoded credentials. They are GitHub Actions expression template placeholders that the GitHub Actions runtime replaces with actual secret values at execution time.

Fix Applied

Added nolint:gosec directives with detailed security justification comments for each variable assignment. These comments explain that:

  1. The strings are GitHub Actions expression templates, not literal credentials
  2. GitHub Actions runtime substitutes these placeholders with actual secret values during workflow execution
  3. This is the standard and secure pattern for accessing secrets in GitHub Actions workflows

Security Best Practices

  • Template Placeholders: Using ${{ secrets.* }} and ${{ github.token }} expressions is the recommended secure way to access credentials in GitHub Actions
  • No Hardcoding: No actual credential values are present in the source code
  • Runtime Substitution: The GitHub Actions runtime securely injects real credentials only at execution time
  • False Positive Pattern: This is a known false positive pattern that gosec cannot distinguish from actual hardcoded credentials

Testing Considerations

  • No functional changes to the code - only added suppression comments
  • The workflow behavior remains identical
  • Security scanning should now pass for these specific lines
  • Verify that gosec no longer flags these lines as security issues

Related Fixes

This follows the same pattern as previous fixes:

🤖 Generated with gh-aw Security Issue Fix Agent
Triggered by: @pelikhan

AI generated by Security Fix PR

@github-actions @web-flow
Security Fix: Suppress false positive hardcoded credentials warnings
171edb0 
Fixed gosec false positive warnings for GitHub Actions expression templates
in compiler_safe_outputs_steps.go (alerts #469, #468, #467, #466).

Added nolint:gosec directives with detailed security justification for:
- checkoutToken assignments (lines 82, 88)
- gitRemoteToken assignments (lines 85, 90)

These are GitHub Actions expression template placeholders that the runtime
replaces with actual secret values at execution time, not hardcoded credentials.

🤖 Generated with [gh-aw](https://github.com/githubnext/gh-aw)

Co-Authored-By: pelikhan <noreply@github.com>
@pelikhan pelikhan marked this pull request as ready for review January 6, 2026 12:51
@pelikhan pelikhan merged commit b50feba into main Jan 6, 2026
3 checks passed
@pelikhan pelikhan deleted the security-fix-alerts-469-468-467-466-9807c005f3a13523 branch January 6, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan