Conduct an audit of the whole codebase, verifying secrets are used properly

pulumi / pulumi-pulumiservice

https://pulumi.com

Apache License 2.0

13 stars 6 forks source link

Open IaroslavTitov opened 1 month ago

IaroslavTitov commented 1 month ago

Recently we had an incident where improper marshaling settings resulted in secrets leaking - https://github.com/pulumi/pulumi-pulumiservice/pull/381

Conduct an audit of the whole projects, making sure secrets are properly treated. Possibly, we can replace all MarshalSettings with a const to avoid such issues in the future.
Add tests that verify secrets are kept hidden to avoid regressions like this

aureq commented 1 month ago

@IaroslavTitov Do you think #384 should be looked at as part of this issue?

IaroslavTitov commented 1 month ago

@IaroslavTitov Do you think #384 should be looked at as part of this issue?

Potentially yes. If the config secret way I linked in that issue doesn't work, then that issue is a security hole somewhere, but I'm hoping it works