search

jpoehnelt / secrets-sync-action

A Github Action that can sync secrets from one repository to many others.
https://github.com/marketplace/actions/secrets-sync-action
Apache License 2.0
314 stars 92 forks source link

feat: Add audit log output #111

Open Laugslander opened 9 months ago

Laugslander commented 9 months ago

Adds the audit_log output parameter that captures audit log information in a list of JSON objects. Fixes #110

An audit log object contains the following properties:

The secret_hash contains the hashed password. This can be used to track whether a secret actually changes. Optionally, a custom salt can be provided via the audit_log_hashing_salt to make it more difficult to reverse engineer the secret.

This functionality might be a bit specific for our project's needs. If it is useful for the greater public, feel free to merge. It does not introduce any breaking changes.

jpoehnelt commented 8 months ago

I'm concerned about the handling of the case where a salt has not been provided. As far as I can tell this would mean the hash(value, "") would show up in the logs.

Following up on this to see what your thoughts are?

Laugslander commented 8 months ago

I'm concerned about the handling of the case where a salt has not been provided. As far as I can tell this would mean the hash(value, "") would show up in the logs.

Following up on this to see what your thoughts are?

You are right, the unsalted hashed value is printed in the logs. As a mitigation, I now use the GITHUB_REPOSITORY_ID as the default salt value. What do you think?