Artifact uploaded without retention limit¶
Rule ID |
|
|---|---|
Category |
security |
Severity |
medium |
Job uploads artifacts without an explicit retention-days setting. GitHub Actions artifacts are publicly readable for 90 days by default; limiting the retention window reduces the exposure of potentially sensitive build outputs.
Detection¶
static_analysis — Checks field presence or value in the workflow YAML.
Examples¶
Non-compliant:
jobs:
build:
steps:
- uses: actions/upload-artifact@v4
with:
name: release-binary
path: dist/app
Compliant:
jobs:
build:
steps:
- uses: actions/upload-artifact@v4
with:
name: release-binary
path: dist/app
retention-days: 3
Fix: Set retention-days on every actions/upload-artifact step to limit the window during which build outputs are publicly accessible. Use the shortest duration sufficient for downstream consumption.