Add CI/CD check to avoid uses of plain password on data directory #21136
Conversation
tinawang123
added
the
qe-core
tinawang123
changed the title
t/01_style.t
Outdated
| @@ -12,4 +12,6 @@ ok system(qq{git grep -I -l '[#/ ]*SPDX-License-Identifier ' ':!t/01_style.t'}) | |||
| $out = qx{git grep -ne "check_var('ARCH',.*)" -e "check_var('BACKEND',.*)" ':!lib/Utils/Architectures.pm' ':!lib/Utils/Backends.pm' 'lib' 'tests'}; | |||
| ok $? != 0 && $out eq '', 'No check_var function to verify ARCH/BACKEND types' or diag $out; | |||
| ok system(qq{git grep -I -l \\( -e "egrep" -e "fgrep" \\) ':!t/01_style.t' ':!CONTRIBUTING.md'}) != 0, 'No usage of the deprecated egrep and fgrep commands'; | |||
| $out = qx{git grep -I -l 'nots3cr3t' ':!data/wsl/Autounattend_*.xml' ':!data/yam/agama/auto/*plain_password.jsonnet' ':!data/yam/agama/auto/lvm_encrypted.jsonnet' 'data'}; | |||
There was a problem hiding this comment.
I asked developers about other plain password not in user or root, it will be very inefficient add a file to exclude here for each encryption scenario that we will have. You will have to exclude:
"luks2": { "password": "nots3cr3t" } and
"luks1": { "password": "nots3cr3t" } but now we have a way to pass it from the code like with AutoYaST, so we can avoid this.
There was a problem hiding this comment.
At here, we can only exclude file name, but if every encryption scenario include 'encrypted' in the files' name, I can exclude them with ':!data/yam/agama/auto/*_encrypted.jsonnet', Now I excluded all files which include plain password. If any update later, I can update this line again.
There was a problem hiding this comment.
Give us a time to pass the password in a different way. My suggestion is that you remove all the files in the exclusion list or at least the one in Yam and not merge this yet. The CI should not force name of files and I believe the check as it is now with exclusion could be removed by someone if enough annoyed for the need to add the file to the exclusion list each time encryption is used in a profile, a proper solution should be offered.
There was a problem hiding this comment.
Hello https://suse.slack.com/archives/C02CSAZLAR4/p1738922909487469 to add more context.
You could use $password like
Add CI/CD check to avoid uses of plain password on data directory in pull requests