search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.26k stars 4.61k forks source link

[EngSys] Sanitize 8 false positive CredScan leaks in Synapse #24911

Closed kinelski closed 9 months ago

kinelski commented 2 years ago

It seems we are using a (clearly fake) secret in our recordings: clientSecret. Example:

https://github.com/Azure/azure-sdk-for-net/blob/cbef31d9894a62cddb2140b05fa3f64c03abf30f/sdk/synapse/Azure.Analytics.Synapse.Artifacts/tests/SessionRecords/NotebookClientLiveTests/TestGetNotebookAsync.json#L1607

CredScan doesn't seem to realize it's not an actual secret (reported here), so it's detecting 8 leaks.

We have two options here:

  1. Add the string clientSecret to our CredScan suppresion file.

  2. Update the Synapse tests to stop using the string clientSecret and start using one of the strings already being suppressed in the suppression file above (such as __CLIENT_SECRET__). Tests need to be recorded again in this case.

1 is way easier but we are trying to keep the suppression file clean. We should investigate how feasible it is to follow approach 2 and choose one of them.

pallavit commented 9 months ago

clientSecret is already in the supression file.