Palo Alto discovered that Azure CLI commands were found to leak sensitive credentials and environment variables in GitHub Actions logs.
This issue affects both public and private repositories, potentially exposing secrets to unauthorized parties.
The problem stems from the Azure CLI's design to echo back accessed/created/updated/deleted resource information, which can include sensitive data.
Later research by Orca Security revealed that AWS CLI and Google Cloud CLI were affected by the same issue, but AWS and GCP view this as expected behavior.
Affected Services
Azure CLI, AWS CLI, Google Cloud CLI
Remediation
Update Azure CLI to version 2.54 or later. Use Azure Key Vault for sensitive values. Store command outputs in variables or use JMESPath queries. Redirect output to /dev/null or use the "--output none" option when running Azure CLI commands in pipelines. As a general rule, avoid storing secrets in environment variables, and instead retrieve them from a dedicated secrets store service such as AWS Secrets Manager.
Review GitHub Actions logs for exposed credentials. Check CLI command usage in workflows for proper output handling. Use secrets scanning tools to identify potentially leaked secrets in repository history.