action #160334
openopenQA Project (public) - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
[qe-core] Add CI/CD check to avoid uses of nots3cr3t or other hardcoded password in pull requests
100%
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments"
This will not stop somebody from adding a different password though, so we need to think a bit before working on this, however we can start with using it on the data directory first.
Updated by szarate 9 months ago
- Related to coordination #96596: [qe-core][CI] CI/CD and Coding style improvements added
Updated by szarate 9 months ago
- Related to action #160325: [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t added
Updated by tinawang123 5 months ago
- Status changed from Workable to In Progress
- Assignee set to tinawang123
Updated by tinawang123 5 months ago
Updated by tinawang123 5 months ago
- Status changed from In Progress to Blocked
Need remove passwords on data folder first.
Blocked by ticket: https://progress.opensuse.org/issues/166439
Updated by JERiveraMoya 3 months ago
Please don't forget to provide a way to disable the check in the CI for some specific folder for example, so testing for agama will not be stopped, at the moment there is no way to set encrypted password in profiles: https://progress.opensuse.org/issues/168853 is work in progress:
Updated by tinawang123 2 months ago
Only two files include the hardcode password:
yutao-qa1:/var/lib/openqa/tests/sle # grep -r 'nots3cr3t' data/*
data/wsl/Autounattend_BIOS.xml: nots3cr3t
data/wsl/Autounattend_UEFI.xml: nots3cr3t
Updated by tinawang123 2 months ago
- Related to action #173938: Remove hardcode password for wsl/Autounattend_BIOS.xml and wsl/Autounattend_UEFI.xml added
Updated by mgrifalconi about 1 month ago
- Sprint changed from QE-Core: November Sprint 24 (Nov 06 - Dec 04) to QE-Core: January Sprint 25 (Jan 09 - Feb 04)
- Tags changed from password, security, qe-core-may-sprint, qe-core-august-sprint to password, security
Updated by mgrifalconi 5 days ago
- Sprint changed from QE-Core: January Sprint 25 (Jan 09 - Jan 31) to QE-Core: February Sprint 25 (Feb 03 - Feb 28)
- Status changed from Blocked to Workable
Updated by tinawang123 1 day ago
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/21136
Have ignored some files still include plain password on data directory.