Open Laugslander opened 9 months ago
I'm concerned about the handling of the case where a salt has not been provided. As far as I can tell this would mean the hash(value, "") would show up in the logs.
Following up on this to see what your thoughts are?
I'm concerned about the handling of the case where a salt has not been provided. As far as I can tell this would mean the hash(value, "") would show up in the logs.
Following up on this to see what your thoughts are?
You are right, the unsalted hashed value is printed in the logs.
As a mitigation, I now use the GITHUB_REPOSITORY_ID
as the default salt value. What do you think?
Adds the
audit_log
output parameter that captures audit log information in a list of JSON objects. Fixes #110An audit log object contains the following properties:
repo
: stringtarget
: stringaction
: stringsecret_name
: stringsecret_hash
: stringenvironment
: stringdry_run
: booleanThe
secret_hash
contains the hashed password. This can be used to track whether a secret actually changes. Optionally, a custom salt can be provided via theaudit_log_hashing_salt
to make it more difficult to reverse engineer the secret.This functionality might be a bit specific for our project's needs. If it is useful for the greater public, feel free to merge. It does not introduce any breaking changes.