Skip to main content

☑️ Prevent exposed GitHub secrets in objects

Kubernetes objects may need to use secret data in their configs such as passwords/tokens/etc. Providing such sensitive data in plain-text is risky and highly unrecommended, as it can be stolen and used maliciously.
Different tools have different secrets, each with its own convention and format.

The gitleaks project aggregates such tools and stays up-to-date with their secret data format.

Targeted objects by this rule (types of kind): All

Complexity: medium (


Policy as code identifier: ALL_EXPOSED_SECRET_GITHUB

This rule will fail​

If a GitHub App token, OAuth access token, Personal access token, and/or Refresh token are present anywhere in the config:

APP_TOKEN: ghs_kWZwPsQhrkrasBRhhMxVm8S7iU5HGcJHzVC9
OAUTH_ACCESS_TOKEN: gho_fq2Umv92EQx02Gdc7Haias0UqKmq8xIeeund
REFRESH_TOKEN: ghr_AeUzatg8Tw3uWDa8eA54nId8v1aDZSUDParQ

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent exposed GitHub secrets in objects [1 occurrence]
💡 Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen

How to fix this failure​

Do not put sensitive data in any config. Kubernetes offers the handy Secret object to handle this.
If you do not wish to use Secrets, take a look at these available alternatives.

Read more​