Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rethink the credential we used in .NET test source code and recording files #18989

Closed
sima-zhu opened this issue Feb 24, 2021 · 3 comments
Closed

Rethink the credential we used in .NET test source code and recording files #18989

sima-zhu opened this issue Feb 24, 2021 · 3 comments
Assignees
@kinelski @nisha-bhatia
Labels
Client This issue points to a problem in the data-plane of the library. EngSys This issue is impacting the engineering system.

Comments

@sima-zhu
Copy link
Contributor

sima-zhu commented Feb 24, 2021
edited
Loading

Current Status
We already setup the cred scan steps in aggregate-report, and we can check the error report here: link
However, team keeps checked in new files containing new keys which failed the pipeline.

Open Issues to address
We have the suppression file to suppress some of the existing issues.
It is a huge effort if we suppress all newly detected keys in suppression file, since most reported cases are false positive. However, blindly suppress the key probably hide the real issues. Therefore, we have to rethink how we generate those keys and reuse them as many as possible.

Facts
Currently, we basically have 3 types of errors:

  • Placeholder key/secret in test src code. E.g password = "123".
    We'd better to reuse the fake key inside of the suppression file instead of generating new ones for new tests.
  • Files only which contain the key, mostly appears in keyvault and identity. E.g client.jks, pemCert.pem
    If any new service needs to reuse the same key, it is better to move the key files into some common space, so we do not need to suppress them one by one for each service.
  • (Important) SAS, share key, web hook token, hashkey etc
    For this category, we saw a lot of random generalized key/secret/token. Team is better to review how each service generates those keys, and whether we can share the same type of key for all services, so that we can reuse and suppress certain amount of keys only. Can we reuse redact string instead of real ones?
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 24, 2021
@jsquire jsquire added Central-EngSys This issue is owned by the Engineering System team. EngSys This issue is impacting the engineering system. and removed needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Feb 24, 2021
@kurtzeborn kurtzeborn added Client This issue points to a problem in the data-plane of the library. and removed Central-EngSys This issue is owned by the Engineering System team. labels Feb 24, 2021
@sima-zhu sima-zhu self-assigned this Feb 24, 2021
@maririos
Copy link
Member

Related: #19316

@maririos
Copy link
Member

Understanding where Track2 is: #19492

@maririos maririos assigned AlexanderSher and unassigned maririos Apr 12, 2021
@nisha-bhatia
Copy link
Member

Track1 Issue: #23687

@github-actions github-actions bot locked and limited conversation to collaborators Jun 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kinelski kinelski

@nisha-bhatia nisha-bhatia

Labels
Client This issue points to a problem in the data-plane of the library. EngSys This issue is impacting the engineering system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jsquire @kinelski @AlexanderSher @maririos @kurtzeborn @sima-zhu @nisha-bhatia