Skip to content

GitHub Organization Secret visible from public repositories

Checks for GitHub organizations which have Organization-level secrets that can be accessed by workflows from public repositories.

Allowing GitHub Action Org-level secret to be visible from any public workflow can be risky if you regularly merge Pull Requests from external contributors' forked repositories. If not carefully audited, the external contribution could potentially exfiltrate the secret. So you should minimize the number of Org-level secrets that have public visibility. By default, you should always prefer to set to Private repositories, to a select number of repositories or use repo-level secrets instead. Org-level secrets are convenient to simplify secrets provisioning at scale, but it gives great power to people who have write access to modify workflows.


Insecure Example

Insecure org-level secret configuration

Secure Example

Private Secure org-level secret configuration

Selected repositories Secure org-level secret configuration