secrets-inherit: soften to best-practice recommendation

JamieMagee · JamieMagee · commit b71f88ab9533 · 2026-04-02T15:10:08.000-07:00
diff --git a/actions/ql/src/experimental/Security/CWE-200/SecretsInherit.md b/actions/ql/src/experimental/Security/CWE-200/SecretsInherit.md
@@ -1,10 +1,10 @@
 ## Overview
 
-When calling a reusable workflow with `secrets: inherit`, all organization, repository, and environment secrets from the parent workflow are forwarded to the called workflow. This violates the principle of least privilege and increases the impact of a potential vulnerability in the reusable workflow.
+When calling a reusable workflow with `secrets: inherit`, every secret the calling workflow can access (organization, repository, and environment secrets) is forwarded to the callee. This is convenient but broader than most callees require. If the reusable workflow has a vulnerability — for example, a template-injection flaw — the blast radius includes every inherited secret rather than just the ones it actually uses.
 
 ## Recommendation
 
-Instead of using `secrets: inherit`, explicitly pass only the secrets that the reusable workflow actually needs via a `secrets:` block.
+As a defense-in-depth measure, prefer passing only the secrets the reusable workflow needs via an explicit `secrets:` block.
 
 ## Example
 
diff --git a/actions/ql/src/experimental/Security/CWE-200/SecretsInherit.ql b/actions/ql/src/experimental/Security/CWE-200/SecretsInherit.ql
@@ -1,11 +1,11 @@
 /**
  * @name Secrets inherited by reusable workflow
- * @description Using `secrets: inherit` passes all parent secrets to a reusable workflow,
- *              violating the principle of least privilege.
+ * @description Using `secrets: inherit` passes every secret the calling workflow can access
+ *              to a reusable workflow, which is more than most callees need.
  * @kind problem
- * @precision high
- * @security-severity 5.0
- * @problem.severity warning
+ * @precision medium
+ * @security-severity 3.0
+ * @problem.severity recommendation
  * @id actions/secrets-inherit
  * @tags actions
  *       security
@@ -22,5 +22,5 @@ where
   secretsNode = job.(ExternalJobImpl).getNode().lookup("secrets") and
   secretsNode.getValue() = "inherit"
 select secretsNode,
-  "All parent secrets are unconditionally inherited by the reusable workflow $@. Pass only the secrets that are needed.",
+  "Every secret accessible to the calling workflow is forwarded to $@. Consider passing only the secrets it actually needs.",
   job.(Uses).getCalleeNode(), job.(Uses).getCallee()
