Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

typo fix in security hardening #1036

Merged
merged 4 commits into from
Nov 5, 2020
Merged

typo fix in security hardening #1036

merged 4 commits into from
Nov 5, 2020

Conversation

lucasilverentand
Copy link
Contributor

@lucasilverentand lucasilverentand commented Nov 3, 2020

Why:

It seems that structured data should always be used for secrets. Correct me if I'm wrong.

What's being changed:

A (supposed) typo in the security docs.

Check off the following:

It seems that structured data should always be used for secrets. Correct me if I'm wrong.
@welcome
Copy link

welcome bot commented Nov 3, 2020

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@janiceilene
Copy link
Contributor

Thanks so much for opening a PR @lucasilverentand! I'll get this triaged for review ⚡

@janiceilene janiceilene added actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team ecosystem This issue or pull request should be reviewed by the Docs Ecosystem team labels Nov 4, 2020
@lucascosti lucascosti self-assigned this Nov 4, 2020
@@ -25,7 +25,7 @@ Secrets use [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key

To help prevent accidental disclosure, {% data variables.product.product_name %} uses a mechanism that attempts to redact any secrets that appear in run logs. This redaction looks for exact matches of any configured secrets, as well as common encodings of the values, such as Base64. However, because there are multiple ways a secret value can be transformed, this redaction is not guaranteed. As a result, there are certain proactive steps and good practices you should follow to help ensure secrets are redacted, and to limit other risks associated with secrets:

- **Never use structured data as a secret**
- **Never use unstructured data as a secret**
Copy link
Contributor

@lucascosti lucascosti Nov 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brentjo This change makes sense to me, but I wanted to also get your 👀 just to make sure 🙂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👋 @lucasilverentand thanks for opening this up, and for catching this. Structured was the intended word here though, so the typo's actually with how we go on to say Unstructured in the first sentence. As in: don't use "structured" data such as a blob of JSON as a secret, because secret redaction mostly looks for exact matches to the configured secrets, so doing so can cause redaction to fail. You want to configure the secret in its rawest form that you would want redacted in the event that value ever gets written to the logs.

"Structured" was the best term I could think of that captures that meaning, but definitely open to suggestions on that!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brentjo that makes a lot of sense. I do agree with you that the term makes sense. Is there any chance someone else could make the change? Since I'm currently a bit busy with other projects.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lucasilverentand Can do! Thanks again for bringing this to our attention!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brentjo glad I could help! 😇

@brentjo brentjo requested a review from lucascosti November 4, 2020 21:24
Copy link
Contributor

@lucascosti lucascosti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for clearing this up @brentjo and @lucasilverentand!

I'll get this merged in 🚀

@lucascosti lucascosti merged commit 282362d into github:main Nov 5, 2020
@github-actions
Copy link
Contributor

github-actions bot commented Nov 5, 2020

Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team ecosystem This issue or pull request should be reviewed by the Docs Ecosystem team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants