MicrosoftLearning / eShopOnWeb

Repository maintained by AZ-400 course and Learn content community. Project used for AZ-400 Labs. Forked from: https://github.com/dotnet-architecture/eShopOnWeb Sample - ASP.NET Core 8.0 reference application, powered by Microsoft, demonstrating a layered application architecture with monolithic deployment model.
MIT License
136 stars 1.08k forks source link

If you have advanced security enabled, you cannot import to ADO because there is a file with an ACR secret one of the commits #257

Closed sayedimac closed 2 weeks ago

sayedimac commented 2 months ago

image

Oops! Your import of https://github.com/MicrosoftLearning/eShopOnWeb repository failed due to VS403654: The push was rejected because it contains one or more secrets. Resolve the following secrets before pushing again. For help, see https://aka.ms/advancedsecurity/secret-scanning/push-protection. Secrets: commit: ca1b827325ef3fd6b2f6d815360b367ebab85f93 paths: /.github/workflows/docker-image.yml(31,23-75) : SEC101/176 : AzureContainerRegistryIdentifiableKey.

yashints commented 2 months ago

That commit belongs to a fork, how is this affecting this repo? any ideas @rob-foulkrod ?

yashints commented 2 months ago

PS: I just imported the repo with no issues on my Azure DevOps, @sayedimac do you have a particular app or extensions installed?

rob-foulkrod commented 2 months ago

I can reproduce the error. Looks like they have started adding secret push protection in the import process. So, learners who have configured Advanced security AND have enabled 'Automatically enable Advanced Security for new projects' they will be hit with this.

It can be solved by disabling the Auto enable prior to import or disabling Advanced Security once they have received this message.

Now the question becomes keeping or removing the secret. Thoughts?

sayedimac commented 2 months ago

@yashints Well not really anything fancy that will stop this except I think it is the advanced security that is preventing this from happening. I might Fork the repo (tip) and import from there because it looks like the file was in an older commit and has been updated/removed.

Either way - here are my extensions:

image

yashints commented 2 months ago

Why can't I see the secret in the codebase? My understanding was it was part of a fork and not this repo

LuizMacedo commented 2 weeks ago

I've tested and imported the repository multiple times for the updates I'm working on, even in repositories with GHAS, and I can't reproduce the issue. I'm closing the issue for now, but please let me know if it becomes a problem again. Thanks!