You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/credscan-process.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,21 +44,22 @@ false alarm. CredScan allows you to suppress fake credentials by either suppress
44
44
warnings for a whole file. **Files that contain more than just fake credentials shouldn't be suppressed.**
45
45
46
46
Credential warnings are suppressed in [eng/CredScanSuppression.json][suppression_file]. Suppressed string values are in
47
-
the `"placeholder"` list, and suppressed files are in the `"file"`list under `"suppressions"`.
47
+
the `"placeholder"` list, and suppressed files are in the `"file"`lists under `"suppressions"`.
48
48
49
49
If you have a fake credential flagged by CredScan, try one of the following (listed from most to least preferable):
50
-
- Import and use a suitable credential from a file that's already suppressed in [eng/CredScanSuppression.json][suppression_file].
50
+
- Import and use a suitable credential from a file that's already suppressed in [eng/CredScanSuppression.json][suppression_file]. If the fake credential will be used by multiple packages, consider adding and exporting it in the `test-utils` package.
51
+
- If the test credentials are specific to your package, create a `fakeTestSecrets.ts` file under your `test` folder, add and export the fake secrets from this file, and add the file path to the list of suppressed files if necessary.
51
52
- Replace the credential with a string value that's already suppressed in [eng/CredScanSuppression.json][suppression_file]. "SecretPlaceholder" is a good one to use.
52
-
- Move the credential into a `fakeCredentials.ts` file in your package, and add the file path to the list of suppressed files if necessary.
53
-
- Add the credential to the list of suppressed string values.
53
+
- Add the string that uses credential to the list of suppressed string values. For examples, `"password: fakeTestSecretPlaceholder,"`
54
54
55
55
Ideally, fake credential files -- which contain nothing but fake secrets -- should be suppressed and their fake
56
56
credentials shouldn't appear in any other files. Sanitizers should be used to keep fake credentials out of test
57
57
recordings when possible. String value suppression should be avoided unless the string appears in many files.
58
58
59
59
Suppressing string values will disable warnings no matter where the string comes up during a scan, but is inefficient
60
-
and inconvenient for lengthy strings. Suppressing warnings in a file is convenient for fake credential files, but
61
-
strings in that file will still trigger warnings if present in another unsuppressed file.
60
+
and inconvenient for lengthy strings. **Note** due to current limitation of the CredScan tool, a whole text line is suppress if the line matches one suppression pattern, which means if a real secret and a suppressed string value are in the same line, the real secret are not reported! We should be very careful when adding a suppressing string value.
61
+
62
+
Suppressing warnings in a file is convenient for fake credential files, but strings in that file will still trigger warnings if present in another unsuppressed file.
0 commit comments