-
Notifications
You must be signed in to change notification settings - Fork 60.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
typo fix in security hardening #1036
Conversation
It seems that structured data should always be used for secrets. Correct me if I'm wrong.
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
Thanks so much for opening a PR @lucasilverentand! I'll get this triaged for review ⚡ |
@@ -25,7 +25,7 @@ Secrets use [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key | |||
|
|||
To help prevent accidental disclosure, {% data variables.product.product_name %} uses a mechanism that attempts to redact any secrets that appear in run logs. This redaction looks for exact matches of any configured secrets, as well as common encodings of the values, such as Base64. However, because there are multiple ways a secret value can be transformed, this redaction is not guaranteed. As a result, there are certain proactive steps and good practices you should follow to help ensure secrets are redacted, and to limit other risks associated with secrets: | |||
|
|||
- **Never use structured data as a secret** | |||
- **Never use unstructured data as a secret** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brentjo This change makes sense to me, but I wanted to also get your 👀 just to make sure 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👋 @lucasilverentand thanks for opening this up, and for catching this. Structured
was the intended word here though, so the typo's actually with how we go on to say Unstructured
in the first sentence. As in: don't use "structured" data such as a blob of JSON as a secret, because secret redaction mostly looks for exact matches to the configured secrets, so doing so can cause redaction to fail. You want to configure the secret in its rawest form that you would want redacted in the event that value ever gets written to the logs.
"Structured" was the best term I could think of that captures that meaning, but definitely open to suggestions on that!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brentjo that makes a lot of sense. I do agree with you that the term makes sense. Is there any chance someone else could make the change? Since I'm currently a bit busy with other projects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lucasilverentand Can do! Thanks again for bringing this to our attention!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brentjo glad I could help! 😇
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for clearing this up @brentjo and @lucasilverentand!
I'll get this merged in 🚀
Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. |
* Add backfilling action example * Add description to schedule backfill * Restructure to match other example pages Co-authored-by: Lana Brindley <github@lanabrindley.com>
Why:
It seems that structured data should always be used for secrets. Correct me if I'm wrong.
What's being changed:
A (supposed) typo in the security docs.
Check off the following: