|
| 1 | +# Guide for Validating the Build Compliance check on azure-sdk-for-net PRs |
| 2 | + |
| 3 | +This guide describes how package owners can monitor their package's Credential Scanner (CredScan) status and correct any errors. |
| 4 | +General information about CredScan can be found in the overview documentation at [aka.ms/credscan][credscan_doc]. The |
| 5 | +Azure SDK's motivation and methodology for running CredScan is documented [here][devops_doc]. |
| 6 | + |
| 7 | +## Table of Contents |
| 8 | +- [Check CredScan Status](#check-credscan-status) |
| 9 | +- [Correct Active Warnings](#correct-active-warnings) |
| 10 | + - [True Positives](#true-positives) |
| 11 | + - [False Positives](#false-positives) |
| 12 | +- [Correct Baselined Warnings](#correct-baselined-warnings) |
| 13 | + |
| 14 | +## Check CredScan Status |
| 15 | +CredScan is run each week over the entire `azure-sdk-for-net` repository as part of the |
| 16 | +[net-aggregate-reports][aggregate_reports] pipeline. The scan produces a list of active warnings in the "Post |
| 17 | +Analysis" task of the "ComplianceTools" job ([example output][credscan_output]). |
| 18 | + |
| 19 | +Each warning will begin with the path to the file containing a potential credential, as well as the row and column where |
| 20 | +the credential string begins. For example, for a potential credential that starts in row 3 and column 20 of a |
| 21 | +particular file: |
| 22 | +``` |
| 23 | +##[error]sdk/{service}/{package}/{file}.json:sdk/{service}/{package}/{file}.json(3,20) |
| 24 | +``` |
| 25 | + |
| 26 | +The warning will then list an error code and description of why the potential credential was flagged. |
| 27 | + |
| 28 | +## True Positives |
| 29 | +If an Azure service access secret was leaked follow the following procedure: |
| 30 | + |
| 31 | +1. Rotate the affected secrets. |
| 32 | +2. Send an email to azuresdkengsysteam@microsoft.com with a list of affected resources and describe the way the leak happened. |
| 33 | +3. Check if any unexpected changes were done to the resource while the secret was exposed. |
| 34 | +4. If secret was leaked via a git commit try to erase it from the git history by squashing commits or rebasing while excluding the commit. Don't try to erase if the change was already merged to a master branch, just open a new PR that removes the secret. |
| 35 | + |
| 36 | +If CredScan discovers an actual credential, please contact the EngSys team at azuresdkengsysteam@microsoft.com so any |
| 37 | +remediation can be done. |
| 38 | + |
| 39 | +## False Positives |
| 40 | +If CredScan flags something that's not actually a credential or secret, we can suppress the warning to shut off the |
| 41 | +false alarm. CredScan allows you to suppress fake credentials by either suppressing a string value or by suppressing |
| 42 | +warnings for a whole file. **Files that contain more than just fake credentials shouldn't be suppressed.** |
| 43 | + |
| 44 | +Credential warnings are suppressed in [eng/CredScanSuppression.json][suppression_file]. Suppressed string values are in |
| 45 | +the `"placeholder"` list, and suppressed files are in the `"file"` list under `"suppressions"`. |
| 46 | + |
| 47 | +If you have a fake credential flagged by CredScan, try one of the following (listed from most to least preferable): |
| 48 | + - Import and use a suitable credential from a file that's already suppressed in [eng/CredScanSuppression.json][suppression_file]. |
| 49 | + - Replace the credential with a string value that's already suppressed in [eng/CredScanSuppression.json][suppression_file]. |
| 50 | + - Move the credential into a `fake_credentials.json` file in your package, and add the file path to the list of suppressed files if necessary. |
| 51 | + - Add the credential to the list of suppressed string values. |
| 52 | + |
| 53 | +Ideally, fake credential files -- which contain nothing but fake secrets -- should be suppressed and their fake |
| 54 | +credentials shouldn't appear in any other files. Sanitizers should be used to keep fake credentials out of test |
| 55 | +recordings when possible. String value suppression should be avoided unless the string appears in many files. |
| 56 | + |
| 57 | +Suppressing string values will disable warnings no matter where the string comes up during a scan, but is inefficient |
| 58 | +and inconvenient for lengthy strings. Suppressing warnings in a file is convenient for fake credential files, but |
| 59 | +strings in that file will still trigger warnings if present in another unsuppressed file. |
| 60 | + |
| 61 | +## Correct Baselined Warnings |
| 62 | +In addition to active warning that appear in the [net-aggregate-reports][aggregate_reports] pipeline ouput, there |
| 63 | +are also CredScan warnings that have been suppressed in [eng/dotnet.gdnbaselines][baseline]. This file is a snapshot of |
| 64 | +the active warnings at one point in time; CredScan won't re-raise warnings that have been recorded here. |
| 65 | + |
| 66 | +Ultimately, we hope to remove this baseline file from the repository entirely. If you see any warnings for a package |
| 67 | +that you own in this file, please remove a few at a time from the file so that CredScan will output these warnings in |
| 68 | +the pipeline. Then, resolve them following the steps from the [Correct Active Warnings](#correct-active-warnings) |
| 69 | +section of this guide. |
| 70 | + |
| 71 | +[aggregate_reports]: https://dev.azure.com/azure-sdk/internal/_build?definitionId=1399&_a=summary |
| 72 | +[baseline]: https://github.com/Azure/azure-sdk-for-net/blob/main/eng/dotnet.gdnbaselines |
| 73 | +[credscan_doc]: https://aka.ms/credscan |
| 74 | +[credscan_output]: https://dev.azure.com/azure-sdk/internal/_build/results?buildId=1321293&view=logs&j=3b141548-98d7-5be1-7ef8-eeb08ca02972&t=7989ab4d-bdd3-5239-37e1-e3681bbc7025 |
| 75 | +[devops_doc]: https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/413/Credential-Scan-Step-in-Pipeline |
| 76 | +[suppression_file]: https://github.com/Azure/azure-sdk-for-net/blob/main/eng/CredScanSuppression.json |
0 commit comments