-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Alerts #750
Comments
Merged #749 |
You are fast good sir! Thank you for addressing in such a timely fashion! |
The key that key scanning flags appears to have been added in commit 22acf7c. |
I was literally reviewing this PR and saw your issue just after merging it 😅
This is a pretty old commit. I don't see any security-related issue there. Do you have a report? Looks to be a false-positive to me. |
The report is simply that since the compromised key still exists in the repo history, it can be detected; and GitHub's key scanning is producing a warning about it (even though it's no longer being used). The only way to make GitHub's key scanning happy regarding this issue would be to modify the old commit and rebase the remaining commits on top of the safely modified commit. I'm guessing that's not a viable solution at this point, but thought I'd raise it just in case. |
Which compromised key? I believe this is a false-positive as |
Hi, alternatively I can override and close the warning in my fork, but here is the security report: Azure Storage Account Access Key Detected in 1 location dist/index.js |
@chaoscommencer Please send the report to security@docker.com. Thanks. |
Will do. |
Ah ok I see the report on the repo that I have dismissed in the past. The "compromised" API key is the default one for the Azurite emulator: https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string#configure-a-connection-string-for-azurite. So it's ok to discard this alert. |
Ah, ok, thanks. Just wanted to make sure it was known and the key was revoked at the least. Guess I can stop writing that email now ;). Thanks! |
Troubleshooting
Before submitting a bug report please read the Troubleshooting doc.
Behaviour
I just forked this repository. I enabled dependabot, etc. for security-related purposes prior to use. I received the following two issues:
Azure Storage Account Access Key #1: The Azure secret in dist/index.js is compromised
Steps to reproduce this issue
Expected behaviour
Actual behaviour
The text was updated successfully, but these errors were encountered: