How I handle security

There was a recent news blurb about credentials being available by Github actions. My analysis was that I only used Github actions to update my Hugo blogs.

I used security tools to analyze my Github repos and found that I used actions on four repos with this one being the main contender.

Possible credential stealing

This is the leaking of secrets to logs or artifacts that can be used or seen by others.

The only secret I have used is the GITHUB_TOKEN and it is not exposed in the logs or the artifacts. A credential monitoring system ensures the GITHUB_TOKEN is not added to the logs or the github-pages artifact.

Essential parts of the Github action process are also inspected and recommendations on the use of pinned versions of external actions to prevent contaminated components with changes to be introduced. A version monitoring system allows the monitoring of updated components which may include bug fixes.

I need to make changes to my yugo.xml script where updated components require additional specifics.