CVE-2021-32638 – CodeQL runner: Command-line options that make GitHub access tokens visible to other processes are now deprecated
https://notcve.org/view.php?id=CVE-2021-32638
Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead of reading it from a file, standard input, or an environment variable. This approach made the token visible to other processes on the same machine, for example in the output of the `ps` command. If the CI system publicly exposes the output of `ps`, for example by logging the output, then the GitHub access token can be exposed beyond the scope intended. Users of the CodeQL runner on 3rd-party systems, who are passing a GitHub token via the `--github-auth` flag, are affected. • https://github.com/github/codeql-action/commit/58defc0652e935f6f2ffc70a82828b98d75476fb https://github.com/github/codeql-action/commit/88714e3a60e72ec53caa0e6a203652ee1f3fb1db https://github.com/github/codeql-action/releases/tag/codeql-bundle-20210304 https://github.com/github/codeql-action/security/advisories/GHSA-g36v-2xff-pv5m https://www.netmeister.org/blog/passing-passwords.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-214: Invocation of Process Using Visible Sensitive Information •