Prompt
Before using third-party actions, libraries, or dependencies that require access to sensitive data (tokens, secrets, credentials), conduct a thorough security audit. Third-party code, especially when source is obfuscated or built/compiled, poses significant security risks when granted access to sensitive resources.
Key evaluation steps:
- Review source code transparency - Prefer dependencies with clear, readable source code over those with built/compiled distributions
- Apply principle of least privilege - Use tokens with minimal required permissions (e.g., read:org only tokens instead of broader access)
- Consider alternatives - Evaluate copying source code into your own codebase or forking the dependency into your organization’s control
- Assess maintenance and reputation - Review the dependency’s maintenance status, contributor history, and community trust
Example from GitHub Actions:
# Instead of using third-party action with broad token
- uses: third-party/action@v1
with:
GITHUB_TOKEN: $
# Consider forking to your org or copying source code
- uses: your-org/forked-action@v1
with:
GITHUB_TOKEN: $
When in doubt, prioritize security over convenience by maintaining direct control over code that accesses sensitive resources.