Long-lived cloud credentials instead of OIDC
============================================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``oidc_not_used``
   * - Category
     - security
   * - Severity
     - medium

Workflow uses static cloud credentials (AWS_ACCESS_KEY_ID, etc.) stored as secrets instead of OIDC short-lived tokens.

Detection
---------

``static_analysis`` — Checks field presence or value in the workflow YAML.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   jobs:
     deploy:
       env:
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       steps:
         - run: aws s3 sync dist/ s3://my-bucket

**Compliant:**

.. code-block:: yaml

   permissions:
     id-token: write
     contents: read
   jobs:
     deploy:
       steps:
         - uses: aws-actions/configure-aws-credentials@v4
           with:
             role-to-assume: arn:aws:iam::123456789:role/github-actions
             aws-region: us-east-1
         - run: aws s3 sync dist/ s3://my-bucket

**Fix**: Configure OIDC federation between GitHub Actions and your cloud provider. Grant id-token: write permission and use the provider's official OIDC action instead of storing long-lived credentials.