LF scans: Secrets issues remediation

[techcobweb]

Story

As a galasa project user I want to be sure that no secrets are ever checked-in to the codebase for malicious people to use to attack our infrastructure.

Background

The Linux foundation has published some security scan results: https://security.lfx.linuxfoundation.org/#/a092M00001O6R6SQAV/overview

More specifically... https://security.lfx.linuxfoundation.org/#/a092M00001O6R6SQAV/code-secrets

We need to fix all the password and credentials issues in the code control immediately.

Need to look at the problems and be able to list the issues we actually have.

Don't just delete files with secrets in, we have to figure out what secrets have been exposed and change them in the deployed environment.

eg: Do we have to re-install argocd ?

Build a list of actions then we can get a better idea of how long it will take.

Tasks

• [ ] Get access so we can accept/ignore each secret to get rid of false +ves. Can we have access ?
• [ ] Walk through all the 400+ potential issues and decide whether they are issues or just noise.
• [ ] Remediate each issue which is real. Ignore those which are not real threats.

[techcobweb]

Blocked waiting for a way of removing the secrets that the LF scans show up.