Regarding GitHub actions and it's secret manager. Any decently organized company would do well to stay away from well known secret interfaces.
Instead use oidc auth to fetch secrets just in time, all short-lived for the duration of the pipeline.
Author here. Built VaultProof after analyzing the Trivy attack
the credential harvesting worked specifically because the keys existed
as plaintext in the CI/CD environment after retrieval from the secrets
manager. Happy to go deep on the Shamir architecture or the attack
mechanics if useful.
Regarding GitHub actions and it's secret manager. Any decently organized company would do well to stay away from well known secret interfaces. Instead use oidc auth to fetch secrets just in time, all short-lived for the duration of the pipeline.
Author here. Built VaultProof after analyzing the Trivy attack the credential harvesting worked specifically because the keys existed as plaintext in the CI/CD environment after retrieval from the secrets manager. Happy to go deep on the Shamir architecture or the attack mechanics if useful.