Open fer opened 3 months ago
Checkmarx One – Scan Summary & Details – b2e1443f-e55d-46e8-b96b-a697bfa00ff9
How do we make sure that secrets added to new and existing environment files are redacted?
How do we make sure that secrets added to new and existing environment files are redacted?
Thank you for bring this up. To ensure the dynamic redaction of secrets from .env
files and others, we could enhance the shareconfig
function with a more comprehensive and adaptable regex pattern matching system.
\b(?:PASSWORD|SECRET|KEY|TOKEN)\s*=\s*.+
\b(?:PASSWORD|SECRET|KEY|TOKEN)\s*:\s*.+
But still these patterns would be to catch common ways, they wouldn't cover still new situations. Open to new suggestions to investigate.
As discussed, we should put a disclaimer on the script stating the files and values we have masked and that the user to verify there are no additional config files that container secrets. This ensures they are agreeing that there might be secrets that are still shared.
Description
Introduces the
shareconfig
functionality to the Bitwarden self-hosted setup script, enabling administrators to securely share their Bitwarden configuration files. Theshareconfig
command sanitizes sensitive information by redacting values associated with passwords and secrets before compressing the configuration files into atar.gz
archive. This ensures that critical information remains secure when configuration files need to be shared for troubleshooting or auditing purposes.Features
.conf
,.env
,.xml
, and.yml
files within the Bitwarden configuration directory.tar.gz
archive of the sanitized configuration files, ready for secure sharing with support teams or for audit purposes.Usage examples
To use this functionality, run the following command from the Bitwarden self-hosted script directory:
This will generate a file named
bitwarden-configs-redacted-<timestamp>.tar.gz
in the current directory.Testing
Please review this PR for inclusion in the next release of Bitwarden self-hosted. Your feedback and suggestions are welcome!