Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

buildkite-agent annotate command should redact secrets #2623

Open
testworksau opened this issue Feb 9, 2024 · 1 comment
Open

buildkite-agent annotate command should redact secrets #2623

testworksau opened this issue Feb 9, 2024 · 1 comment

Comments

@testworksau
Copy link

testworksau commented Feb 9, 2024
edited

Is your feature request related to a problem? Please describe.
The agent has built-in secrets redaction capabilities, which is ace:
https://buildkite.com/docs/agent/v3#promoted-experiments-redacted-variables

However the buildkite-agent annotate function does not redact any input.

This results in the ability for people to create pipelines that can easily bypass the redaction capabilities.

Describe the solution you'd like
buildkite-agent annotate passes the provided messages through to the redaction filter prior to submitting the annotation to the Buildkite server.

Describe alternatives you've considered
None

Additional context
We came across this issue as we had a unit test that was asserting that an environment variable was set to an expected value.

The unit test usually mocks the value however a mistake was made in the change, that read the env var from the Buildkite agent instead of mocking it.

The expectation failed, the assertion comparison message contained the secret in its output, which was then stored in the JUnit XML output and stored as an attachment on the build step.

The junit-annotate-buildkite-plugin processed the JUnit output, and annotated the build with the failure, which resulted in the leak.

https://github.com/buildkite-plugins/junit-annotate-buildkite-plugin/blob/97d3bdea7c325bedf8c704cfc3047d201799da88/hooks/command#L113

Obviously, filtering the annotate command will only resolve part of the problem we faced in this particular instance; the secret was still in plain text in the artifact attached to the build step, and also in Test Analytics, so consideration may need to be made for that separately.
@moskyb
Copy link
Contributor

moskyb commented Feb 14, 2024

g'day @testworksau! secrets redaction is (as you've found) currently focussed only on logs, and we don't guarantee that any other output from the agent gets redacted. we're not currently planning to extend redaction further, however, we'd be happy to accept PRs along this vein. in the meantime, we'll put it in our backlog for further discussion the next time we're working in the area.

if you're keen on making a PR and wanna chat implementation, we're more than happy to help out :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@testworksau @moskyb and others