-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Feat): Interacting with projects programmatically #1400
Conversation
|
GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
---|---|---|---|---|---|
9387832 | Triggered | Generic Password | 04c12d9 | backend/src/db/seeds/1-user.ts | View secret |
9387832 | Triggered | Generic Password | 0cecf05 | backend/src/db/seeds/1-user.ts | View secret |
9387832 | Triggered | Generic Password | f2c36c5 | backend/src/db/seeds/1-user.ts | View secret |
9387832 | Triggered | Generic Password | faa842c | backend/src/db/seeds/1-user.ts | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
b7278d0
to
ae4fa7e
Compare
9ab242e
to
a9f0474
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more question. As we are polling the system. Are we blocking user interactions.
Because what will happen if user's does something while the indexing is happening behind the scene. Blind index didn't had this issue because those secrets were never accessible by end users. But this case is not
...retApprovalPage/components/SecretApprovalRequest/components/SecretApprovalRequestChanges.tsx
Outdated
Show resolved
Hide resolved
frontend/src/components/v2/UpgradeProjectAlert/UpgradeProjectAlert.tsx
Outdated
Show resolved
Hide resolved
This is an interesting case yea. I agree, we should to some degree block secret mutations while an upgrade is happening. I've just pushed a change that blocks secret write operations if an upgrade is active. You can check it out here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks real good! Just left some minor nits. Should be good to go after that
Note: API breaking change checker will fail because we've removed |
f47c479
to
602933c
Compare
995a81d
to
554f0cf
Compare
Description 📣
This PR introduces a new concept called ghost users. Due to the nature of Infisical's end-to-end encryption structure, it was previously not possible to interact with projects programmatically through the API and other consuming applications. By introducing ghost user's, we're slowly moving to a more industry-standard way of storing secrets securely, while at the same time improving the user experience for everyone.
To sum it up. The main purpose of the PR is to make the API more user-friendly, and to introduce a better approach as to how we securely store secrets. Existing projects will get an option to upgrade to the new ghost user logic. All new projects will be created with the ghost logic by default.
Type ✨