CLAassistant
commented
4 days ago
All committers have signed the CLA.
Open justanothernate opened 4 days ago
CLAassistant
commented
4 days ago
All committers have signed the CLA.
rgmz
commented
4 days ago We had a secret leak through and looks like the existing detector doesn't match Azure docs:
https://learn.microsoft.com/en-us/purview/sit-defn-client-secret-api-key
This appears to be a generic reference for any client secret. Entra/Azure AD service principal secret guidelines are here.
Out of curiosity, how old was the secret in question? If it was generated within the last few years, it should match this pattern (...Q~...).
justanothernate
commented
4 days ago Got it, thanks for the link.
The secret we had that slipped through was new but it has 40 chars so didn't match the existing filter which was set for 34 chars. Based on the linked doc you added, we could just leave the existing regex pattern as-is but change it to match a length of 40 chars. We could also do 34 - 40 chars long if the original value of 34 was something that was used previously and you want to retain matches of that or any intermediary length as well.
rosecodym
commented
1 day ago @abmussani
We had a secret leak through and looks like the existing detector doesn't match Azure docs:
https://learn.microsoft.com/en-us/purview/sit-defn-client-secret-api-key
This changed regex should match what is found in the above docs:
A combination of 24 characters consisting of letters, digits, and special characters.
or
A combination of 32 characters consisting of letters and digits.
or
A combination of 40 characters consisting of letters and digits.
or
A combination of 44 characters consisting of letters, digits, and special characters.
or
A combination of 56 characters consisting of letters, digits, and special characters
or
A combination of 88 characters consisting of letters, digits, and special characters.
Description:
Explain the purpose of the PR.
Checklist:
make test-community)?make lintthis requires golangci-lint)?