Hardcoded environment-specific values¶
Rule ID |
|
|---|---|
Category |
maintainability |
Severity |
medium |
Values like URLs, bucket names, or region names are hardcoded in the workflow instead of being referenced from repository variables or secrets.
Detection¶
pattern_matching — Regex or keyword matching on string field values.
Examples¶
Non-compliant:
jobs:
deploy:
env:
API_URL: https://api.production.example.com
BUCKET: my-app-artifacts
steps:
- run: ./deploy.sh
Compliant:
jobs:
deploy:
env:
API_URL: ${{ vars.API_URL }}
BUCKET: ${{ vars.ARTIFACT_BUCKET }}
steps:
- run: ./deploy.sh
Fix: Move environment-specific values (URLs, bucket names, regions) to GitHub repository or environment variables and reference them with ${{ vars.VAR_NAME }}.