|
| 1 | +# Guide for monitoring CredScan checks |
| 2 | + |
| 3 | +This guide describes how package owners can monitor their package's Credential Scanner (CredScan) status and correct |
| 4 | +any warnings. |
| 5 | + |
| 6 | +General information about CredScan can be found in the overview documentation at [aka.ms/credscan][credscan_doc]. The |
| 7 | +Azure SDK's motivation and methodology for running CredScan is documented [here][devops_doc]. |
| 8 | + |
| 9 | +## Table of Contents |
| 10 | +- [Check CredScan status](#check-credscan-status) |
| 11 | +- [Correct active warnings](#correct-active-warnings) |
| 12 | + - [True positives](#true-positives) |
| 13 | + - [False positives](#false-positives) |
| 14 | +- [Correct baselined warnings](#correct-baselined-warnings) |
| 15 | + |
| 16 | +## Check CredScan status |
| 17 | + |
| 18 | +CredScan is run each night over the entire `azure-sdk-for-python` repository as part of the |
| 19 | +[python - aggregate-reports][aggregate_reports] pipeline. The scan produces a list of active warnings in the "Post |
| 20 | +Analysis" task of the "ComplianceTools" job ([example output][credscan_output]). |
| 21 | + |
| 22 | +Each warning will begin with the path to the file containing a potential credential, as well as the row and column where |
| 23 | +the credential string begins. For example, for a potential credential that starts in row 3 and column 20 of a |
| 24 | +particular file: |
| 25 | +``` |
| 26 | +##[error]sdk/{service}/{package}/{file}.py:sdk/{service}/{package}/{file}.py(3,20) |
| 27 | +``` |
| 28 | + |
| 29 | +The warning will then list an error code and description of why the potential credential was flagged. |
| 30 | + |
| 31 | +## Correct active warnings |
| 32 | + |
| 33 | +If you find any warnings listed for a package you own, the next step is to determine if the potential credential found |
| 34 | +by CredScan is an actual credential (a true positive), or a fake credential/false flag (a false positive). |
| 35 | + |
| 36 | +### True positives |
| 37 | + |
| 38 | +If CredScan discovers an actual credential, please contact the EngSys team at [email protected] so any |
| 39 | +remediation can be done. |
| 40 | + |
| 41 | +### False positives |
| 42 | + |
| 43 | +If CredScan flags something that's not actually a credential or secret, we can suppress the warning to shut off the |
| 44 | +false alarm. CredScan allows you to suppress fake credentials by either suppressing a string value or by suppressing |
| 45 | +warnings for a whole file. **Files that contain more than just fake credentials shouldn't be suppressed.** |
| 46 | + |
| 47 | +Credential warnings are suppressed in [eng/CredScanSuppression.json][suppression_file]. Suppressed string values are in |
| 48 | +the `"placeholder"` list, and suppressed files are in the `"file"` list under `"suppressions"`. |
| 49 | + |
| 50 | +If you have a fake credential flagged by CredScan, try one of the following (listed from most to least preferable): |
| 51 | + - Import and use a suitable credential from a file that's already suppressed in [eng/CredScanSuppression.json][suppression_file]. |
| 52 | + - Replace the credential with a string value that's already suppressed in [eng/CredScanSuppression.json][suppression_file]. |
| 53 | + - Move the credential into a `fake_credentials.py` file in your package, and add the file path to the list of suppressed files if necessary. |
| 54 | + - Add the credential to the list of suppressed string values. |
| 55 | + |
| 56 | +Ideally, fake credential files -- which contain nothing but fake secrets -- should be suppressed and their fake |
| 57 | +credentials shouldn't appear in any other files. Sanitizers should be used to keep fake credentials out of test |
| 58 | +recordings when possible. String value suppression should be avoided unless the string appears in many files. |
| 59 | + |
| 60 | +Suppressing string values will disable warnings no matter where the string comes up during a scan, but is inefficient |
| 61 | +and inconvenient for lengthy strings. Suppressing warnings in a file is convenient for fake credential files, but |
| 62 | +strings in that file will still trigger warnings if present in another unsuppressed file. |
| 63 | + |
| 64 | +## Correct baselined warnings |
| 65 | + |
| 66 | +In addition to active warning that appear in the [python - aggregate-reports][aggregate_reports] pipeline ouput, there |
| 67 | +are also CredScan warnings that have been suppressed in [eng/python.gdnbaselines][baseline]. This file is a snapshot of |
| 68 | +the active warnings at one point in time; CredScan won't re-raise warnings that have been recorded here. |
| 69 | + |
| 70 | +Ultimately, we hope to remove this baseline file from the repository entirely. If you see any warnings for a package |
| 71 | +that you own in this file, please remove a few at a time from the file so that CredScan will output these warnings in |
| 72 | +the pipeline. Then, resolve them following the steps from the [Correct active warnings](#correct-active-warnings) |
| 73 | +section of this guide. |
| 74 | + |
| 75 | + |
| 76 | +[aggregate_reports]: https://dev.azure.com/azure-sdk/internal/_build?definitionId=1401&_a=summary |
| 77 | +[baseline]: https://github.com/Azure/azure-sdk-for-python/blob/main/eng/python.gdnbaselines |
| 78 | +[credscan_doc]: https://aka.ms/credscan |
| 79 | +[credscan_output]: https://dev.azure.com/azure-sdk/internal/_build/results?buildId=1320151&view=logs&j=3b141548-98d7-5be1-7ef8-eeb08ca02972&t=41e0d8dc-42df-5fff-2417-80cd016cccdb |
| 80 | +[devops_doc]: https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/413/Credential-Scan-Step-in-Pipeline |
| 81 | +[suppression_file]: https://github.com/Azure/azure-sdk-for-python/blob/main/eng/CredScanSuppression.json |
0 commit comments