refactor(cmd-api-server): clean up configuration parameters gitguardi… #2086
Conversation
|
| GitGuardian id | Secret | Commit | Filename | |
|---|---|---|---|---|
| - | Generic Private Key | b3fa477 | examples/cactus-example-carbon-accounting-backend/example-config.json | View secret |
| - | RSA Private Key | b3fa477 | examples/cactus-example-carbon-accounting-backend/example-config.json | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
ruzell22
force-pushed
the
haruharu720test
branch
from
cfcbbae to
6060bd2
Compare
| - name: GitGuardian scan | ||
| uses: GitGuardian/ggshield-action@master | ||
| with: | ||
| args: --show-secrets --exit-zero --all-policies --verbose |
There was a problem hiding this comment.
Idea 1
| args: --show-secrets --exit-zero --all-policies --verbose | |
| args: --show-secrets --exit-zero --all-policies --verbose --config-path ./gitguardian.yaml |
Idea 2 (desperate option)
Try to rename the config file to have .yml extension instead of .yaml just to 100% match what their documentation says.
There was a problem hiding this comment.
@ruzell22 Please check out my suggestions here: https://github.com/hyperledger/cacti/pull/2086/files#r1107923389
There was a problem hiding this comment.
@ruzell22 Final change request and sorry for spamming: Please break this into two pull requests where:
- First PR is just about adding the custom git guardian check of ours (e.g. the gitguardian workflow + the configuration file) - this PR must also address the change requests I just added related to the git guardian config files and workflow file
- Second PR is one that you mark as dependent on the first PR and it does the originally intended change which was to clean up the configuration parameters.
| with: | ||
| fetch-depth: 0 # fetch all history so multiple commits can be scanned | ||
| env: | ||
| GITHUB_TOKEN: "87028c11-8bef-4bd6-b440-5d3851314ead" |
There was a problem hiding this comment.
@ruzell22 Please remove this and make sure to invalidate your token because this one now has been exposed.
| # - name: Login to DockerHub Registry | ||
| # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
| - name: GitGuardian scan | ||
| uses: GitGuardian/ggshield-action@master |
There was a problem hiding this comment.
@ruzell22 Please pin to a specific version (whichever is latest right now is fine but it has to be a specific version such as v.3.2.1)
| GITGUARDIAN_API_KEY: bBae0Daed3c0dFD1dC624380aA3FEbBfddD06dCeB3Ca5c2dCADF661C42617Dc65298FcE | ||
| GITGUARDIAN_INSTANCE: 'https://api.gitguardian.com/' |
There was a problem hiding this comment.
@ruzell22 Please double check if we need this (e.g. remove them and then see if the checking process still works or not). If it does work without these then they should be removed. If it does NOT work without these then we MUST:
- Invalidate this gitguardian API key before someone maliciously uses it
- Generate a new git guardian API key, send that to me in private and I'll make sure to add it as a git repo level environment secret.
ruzell22
force-pushed
the
haruharu720test
branch
from
12c3e5c to
16aafc2
Compare
ruzell22
force-pushed
the
haruharu720test
branch
from
3b3f33e to
5213675
Compare
…an scanner test test Signed-off-by: ruzell22 <[email protected]>
…an scanner test test Signed-off-by: ruzell22 <[email protected]>
ruzell22
force-pushed
the
haruharu720test
branch
from
58a6665 to
1e848c9
Compare
…an scanner test test Signed-off-by: ruzell22 <[email protected]>
…an scanner test test Signed-off-by: ruzell22 <[email protected]>
…an scanner test test Signed-off-by: ruzell22 <[email protected]>
…an scanner test test Signed-off-by: ruzell22 <[email protected]>
related to hyperledger-cacti#720 and hyperledger-cacti#2086 This includes GitGuardian workflow + configuration file To replace the original GitGuardian scanner so it will be configurable. Signed-off-by: ruzell22 <[email protected]>
|
@ruzell22 Are you still working on this? |
|
Hello @petermetz , the clean up configuration part is fixed already. However, the gitguardian issue is yet to be resolved. The question has been posted at stackoverflow, thank you. |
|
Hello @petermetz , this draft PR relating to gitguardian can now be closed. Thank you. |
@ruzell22 Got it, closing, thank you as well! |
…an scanner test
test
Signed-off-by: ruzell22 [email protected]