Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(engine): Mask secrets #387

Merged
merged 6 commits into from
Sep 10, 2024
Merged

feat(engine): Mask secrets #387

merged 6 commits into from
Sep 10, 2024

Conversation

daryllimyt
Copy link
Contributor

@daryllimyt daryllimyt commented Sep 8, 2024
edited
Loading

Changes

  • Fix JSONDecodeError in run history
  • Add secret masking in udf inputs/outputs
  • Add environment variable TRACECAT__UNSAFE_DISABLE_SM_MASKING to toggle masking secrets. We don't expose this in .env.example.

Invariants or non-negotiables

  • Any secret values returned by UDFs will be fully masked
    • If you try to use a result that involves a secret value, you will receive the masked value
    • This is intentional, as otherwise we are crossing a security boundary
    • The only secure method of retrieving secrets is using the SM inside an integration or secret expression.
@github-actions github-actions bot added engine Improvements or additions to the workflow engine enhancement New feature or request labels Sep 8, 2024
@daryllimyt daryllimyt self-assigned this Sep 9, 2024
@daryllimyt daryllimyt merged commit c0475d2 into main Sep 10, 2024
8 checks passed
@daryllimyt daryllimyt deleted the feat/redact-secrets branch September 10, 2024 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
engine Improvements or additions to the workflow engine enhancement New feature or request
2 participants
@daryllimyt @topher-lo