Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Prioritized] Add secret protection via credscan #1950

Closed
scbedd opened this issue Aug 30, 2021 · 4 comments
Closed

[Prioritized] Add secret protection via credscan #1950

scbedd opened this issue Aug 30, 2021 · 4 comments
Assignees
@scbedd
Labels
Central-EngSys This issue is owned by the Engineering System team. Test-Proxy Anything relating to test-proxy requests or issues.

Comments

@scbedd
Copy link
Member

scbedd commented Aug 30, 2021
edited
Loading

This is a bit hazy at the moment due to the "when" part really affecting us. The most effective time to run credscan is as a pre-commit hook. However, given that its got more than a few local requirements, I'm not certain this would be a great developer experience.

The timing of when to trigger the credscan is a bit suspect, but perhaps we can add some sort of file-watcher (especially in the docker image) that runs credscan on any new recordings files?

EDIT 10/7.

Now that test-proxy has recording retrieval integrated, we have an excellent place to prevent cred leaks. We can place a scan on the push operation. Anything that would fail will prevent the push from happening.

Furthermore, @LarryOsterman has requested that this is a setting that can be enabled / disabled on the server.
@scbedd scbedd added the Central-EngSys This issue is owned by the Engineering System team. label Aug 30, 2021
@HarshaNalluru
Copy link
Member

We can just do whenever recorder.stop() is called, right?

@scbedd
Copy link
Member Author

scbedd commented Aug 30, 2021

Right, but we don't want to put an explicit dependency on credscan from the test-proxy.

If we can add credscan as a nuget dependency, then yes, I agree with you. I don't think that's a possibility though.

@scbedd
Copy link
Member Author

scbedd commented Sep 2, 2021
edited
Loading

Here is an article, will definitely be trying to integrate this.

Updated Article

@scbedd scbedd mentioned this issue Dec 7, 2021
Closed
@pakrym pakrym mentioned this issue Jan 25, 2022
Closed
@scbedd scbedd added the Test-Proxy Anything relating to test-proxy requests or issues. label May 11, 2022
@scbedd scbedd mentioned this issue Feb 9, 2023
Closed
2 tasks
@scbedd scbedd changed the title [Test-Proxy] Add secret protection via credscan [Prioritize] Add secret protection via credscan Feb 9, 2023
@scbedd scbedd changed the title [Prioritize] Add secret protection via credscan [Prioritized] Add secret protection via credscan Feb 9, 2023
@kurtzeborn kurtzeborn moved this from 🤔 Triage to 📋 Backlog in Azure SDK EngSys 🚢🎉 Jun 12, 2023
@scbedd
Copy link
Member Author

scbedd commented Jun 27, 2024

CredScan was a no-go, we instead integrated Microsoft.Security.Utilities for #8140

@scbedd scbedd closed this as completed Jun 27, 2024
@github-project-automation github-project-automation bot moved this from 📋 Backlog to 🎊 Closed in Azure SDK EngSys 🚢🎉 Jun 27, 2024
@scbedd scbedd moved this from 🎊 Closed to 🔬 Dev in PR in Azure SDK EngSys 🚢🎉 Jun 27, 2024
@scbedd scbedd moved this from 🔬 Dev in PR to 🎊 Closed in Azure SDK EngSys 🚢🎉 Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@scbedd scbedd

Labels
Central-EngSys This issue is owned by the Engineering System team. Test-Proxy Anything relating to test-proxy requests or issues.
Projects
Azure SDK EngSys 🚢🎉
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HarshaNalluru @scbedd