Replies: 18 comments 17 replies
-
Hi there @behnazh-w and welcome to our community! Thank you for asking a great question 🙂 To get started, introduce yourself in our official introduction thread |
Beta Was this translation helpful? Give feedback.
-
Hey @behnazh-w - I'm keen on helping ensure GitHub Actions works for SLSA provenance generation. I tried to reproduce this, but wasn't able to, so I'm not sure exactly what's going on. That said, it looks like we're already using workflow artifacts, so maybe we could use that mechanism (instead of output) to share the hash between jobs in the workflow? Note also that Here was my attempt to reproduce this, which again, didn't work:
|
Beta Was this translation helpful? Give feedback.
-
@steiza Thanks for helping out.
Same here. I cannot reproduce the problem in a private clone of this repository. However, this problem is consistently happening for various Micronaut projects that are created from the same template repo, where the SLSA provenance generation is integrated. My guess is that the GitHub Actions security analysis that monitors job outputs for secrets has a bug, which results in this false positive.
The slsa-github-generator GitHub Actions need the job output to pass the hashes between jobs. That's because a workflow artifact can be updated (replaced) by a different potentially malicious job triggered by the same workflow. So if we store the hashes in a workflow artifact we can't guarantee the integrity of the build artifacts. But unfortunately GitHub is not working as expected and does not set the output correctly. So the slsa-github-generator requires a feature from GitHub that is not reliable.
We should still be able to use the |
Beta Was this translation helpful? Give feedback.
-
I am having the same issue while exporting as job output the first 7 chars of The masking is completely random. Sometime one is skipped and sometime the other. Have you figured out a solution? |
Beta Was this translation helpful? Give feedback.
-
The issue still persists w/ github.com. Is there a work around? |
Beta Was this translation helpful? Give feedback.
-
This is very annoying. Outputs should not be ignored if there is a potential secret, because build outputs can be IDs and the detection meachanism is flakey. |
Beta Was this translation helpful? Give feedback.
-
to the next job, and GitHub will not set the output because it was treated as a secret. But in fact, it is just a regular variable |
Beta Was this translation helpful? Give feedback.
-
Any solution yet? I'm having the same issue when passing Azure resource group name to the next job, and GitHub will not set the output because it was treated as a secret. But in fact, it is just a regular variable. |
Beta Was this translation helpful? Give feedback.
-
FWIW I am also having this issue with an AWS ARN. It is considering the Account ID in the ARN a secret and so ignoring it as job output. Very annoying. |
Beta Was this translation helpful? Give feedback.
-
I am also having the same issue with an AWS ECR Image URI. I am trying to separate the (1) build-and-push-to-ECR job from the (2) deploy-ECR-image-to-App-Runner job. Job 2 needs the Image URI from Job 1. |
Beta Was this translation helpful? Give feedback.
-
I am using artifact as workaround for the moment. I created 2 actions:
And use them like:
|
Beta Was this translation helpful? Give feedback.
-
I used artifacts as a workaround of this problem but now i'm reaching quota limitation of artifacts (even if retention is 1 day). Same as https://github.com/orgs/community/discussions/37942#discussioncomment-6434547 I use job outputs for standard variables and not secrets. |
Beta Was this translation helpful? Give feedback.
-
none of the variables are derived from secrets, but still, main_image output is suppressed |
Beta Was this translation helpful? Give feedback.
-
Same issue here, have been debugging for a stupid amount of time. It seems like some outputs will be filtered but others may not. It is still a black box and no one knows how GitHub decides whether an output is sensitive or not. Here's my code snippet, where output
|
Beta Was this translation helpful? Give feedback.
-
Is anything being done to resolve this? I ran across this when creating a S3 resource path /foo_ops/github/artifacts/foo_project/file.zip. There is also a secret being used in the job with the value foo I then get the erroneous warning of "Skip output 'artifact-name' since it may contain secret." The name is not emitted as output and the rest of the workflow fails. Other jobs in the same workflow that don't reference the secret with the value 'foo' have no issues. The github processor needs to have better understanding of the context and not just match by value. |
Beta Was this translation helpful? Give feedback.
-
Having the same issue, value of environment variable Follow up: this was caused by using a raw JSON as a secret - encoding the JSON with Base64 resolved the issue: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#storing-base64-binary-blobs-as-secrets |
Beta Was this translation helpful? Give feedback.
-
🤕 Same issue for
Get in the Complete Job step
|
Beta Was this translation helpful? Give feedback.
-
Same issue:
The value of |
Beta Was this translation helpful? Give feedback.
-
We are using the build outputs to pass the hash of artifacts between two jobs, which is necessary for creating SLSA provenances.
GitHub Actions is not setting the output with the error message:
This is clearly a false positive as the hashes of the artifacts would have no secrets. Is there any workaround to pass this value as the output here?
Beta Was this translation helpful? Give feedback.
All reactions