nitin-vavdiya
commented
2 months ago Thanks for raising this issue.
This is a sample realm JSON file of keycloak and this is used for local testing and development purposes only.(Ref: - ./dev/dcm_realm.json:/opt/keycloak/data/import/dcm_realm_local.json)
We put this secret hard coded so developers do not need to create a secret manually.
If you still see it as a security issue then we can leave it an empty string
carslen
In a previous merged PR (#80) a secret has been published which I have missed in my approval of this PR:
https://github.com/eclipse-tractusx/demand-capacity-mgmt/blob/d7ed0e8881b4bba94f11a65906d5b6148735570e/dev/dcm_realm.json#L730-L736
I've got contacted by my employers cybercecurity department at Mercedes-Benz as I merged the PR and need to confirm that this is not a security incident and no MB internal systems can be compromized using this secret.
Do not publish secrets or any other sensitive data in repositories.
I have to provide feedback until EOW to my employers cybersecurity department. Please handle with appropriate prio.
cc @RoKrish14