[engsys] add a document about credscan #20272
Conversation
|
This is adopted from the python one. |
|
This pull request is protected by Check Enforcer. What is Check Enforcer?Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass. Why am I getting this message?You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged. What should I do now?If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows: What if I am onboarding a new service?Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment: |
| If CredScan discovers an actual credential, please contact the EngSys team at azuresdkengsysteam@microsoft.com so any | ||
| remediation can be done. |
There was a problem hiding this comment.
Also, add regarding re-recording if the true positive is from a test recording if it applies?
There was a problem hiding this comment.
We will enable this in PR validation soon. The recordings will be blocked too so I don't want to special case it in this document.
| @@ -0,0 +1,67 @@ | |||
| # Guide for monitoring CredScan checks | |||
There was a problem hiding this comment.
Not at all for this PR but I notice we now go back and forth between our GH wiki and our documentation folder...
I almost prefer everything live in the documentation folder as .md files because it's easier to submit and review changes. Should we standardize on one or the other?
There was a problem hiding this comment.
A good topic to discuss in team meeting? Yes, committed files make reviewing easier. Wiki allows quick turnaround that doesn't need a lot of reviews I guess.
There was a problem hiding this comment.
Good idea, I added to the agenda
| Credential warnings are suppressed in [eng/CredScanSuppression.json][suppression_file]. Suppressed string values are in | ||
| the `"placeholder"` list, and suppressed files are in the `"file"` list under `"suppressions"`. | ||
|
|
||
| If you have a fake credential flagged by CredScan, try one of the following (listed from most to least preferable): |
|
check enforcer is stuck not doing anything. overriding... |
|
/check-enforcer override |
Add 2022-08-01-preview version to Microsoft.SignalRService/SignalR (Azure#20272) * Adds base for updating Microsoft.SignalRService from version stable/2022-02-01 to version 2022-08-01-preview * Update readme.md * Update swagger and examples * Updates * revert adding 200 response code to put custom domain
Add a doc on our CredScan process and how to resolve warnings.
Fixes Azure/azure-sdk-tools#2630