CVE-2021-32638 – CodeQL runner: Command-line options that make GitHub access tokens visible to other processes are now deprecated

https://notcve.org/view.php?id=CVE-2021-32638

25 May 2021 — Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead of reading it from a file, standard input, or an environment variable. This approach made the token visible to other processes on the same machine, for example in the output of the `ps` command. If the CI system pub... • https://github.com/github/codeql-action/commit/58defc0652e935f6f2ffc70a82828b98d75476fb • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-214: Invocation of Process Using Visible Sensitive Information •