jimleroyer
commented
2 months ago Hi Calvin. The requirement to plug in with Azure before pursuing with the AI reviews makes this prototyping effort difficult, as in we have to deliver the kitchen sink before the prototype. It might not be something worth to dig into in the end and I would prefer to avoid unnecessary effort.
Would reviewing the code and fork the repository not guarantee that we do not send secrets to the service in question? We performed these 2 actions as discussed in the Slack thread in the hope that we could then test the action and deliver our feedback to share with the rest of the organization.
We should use the Azure OpenAI endpoint instead of the OpenAI API endpoint as the Azure service has been assessed by CCCS for PB data.
Link to Services in scope on Canada Protected B documentation from MS: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-canada-protected-b#services-in-scope
List of in scope services: https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all
Because the Action will have access to the secrets in the repo this introduces the risk that Protected/Sensitive information will be sent to an un-assessed service.
I would say this is a required feature change before we start to use this service on any repo that has access to Secrets that may be considered sensitive. Which with how we use organizational secrets in Github is every repo in the cds-snc organization.