You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However the buildkite-agent annotate function does not redact any input.
This results in the ability for people to create pipelines that can easily bypass the redaction capabilities.
Describe the solution you'd like buildkite-agent annotate passes the provided messages through to the redaction filter prior to submitting the annotation to the Buildkite server.
Describe alternatives you've considered
None
Additional context
We came across this issue as we had a unit test that was asserting that an environment variable was set to an expected value.
The unit test usually mocks the value however a mistake was made in the change, that read the env var from the Buildkite agent instead of mocking it.
The expectation failed, the assertion comparison message contained the secret in its output, which was then stored in the JUnit XML output and stored as an attachment on the build step.
The junit-annotate-buildkite-plugin processed the JUnit output, and annotated the build with the failure, which resulted in the leak.
Obviously, filtering the annotate command will only resolve part of the problem we faced in this particular instance; the secret was still in plain text in the artifact attached to the build step, and also in Test Analytics, so consideration may need to be made for that separately.
The text was updated successfully, but these errors were encountered:
g'day @testworksau! secrets redaction is (as you've found) currently focussed only on logs, and we don't guarantee that any other output from the agent gets redacted. we're not currently planning to extend redaction further, however, we'd be happy to accept PRs along this vein. in the meantime, we'll put it in our backlog for further discussion the next time we're working in the area.
if you're keen on making a PR and wanna chat implementation, we're more than happy to help out :)
Is your feature request related to a problem? Please describe.
The agent has built-in secrets redaction capabilities, which is ace:
https://buildkite.com/docs/agent/v3#promoted-experiments-redacted-variables
However the
buildkite-agent annotate
function does not redact any input.This results in the ability for people to create pipelines that can easily bypass the redaction capabilities.
Describe the solution you'd like
buildkite-agent annotate
passes the provided messages through to the redaction filter prior to submitting the annotation to the Buildkite server.Describe alternatives you've considered
None
Additional context
We came across this issue as we had a unit test that was asserting that an environment variable was set to an expected value.
The unit test usually mocks the value however a mistake was made in the change, that read the env var from the Buildkite agent instead of mocking it.
The expectation failed, the assertion comparison message contained the secret in its output, which was then stored in the JUnit XML output and stored as an attachment on the build step.
The junit-annotate-buildkite-plugin processed the JUnit output, and annotated the build with the failure, which resulted in the leak.
https://github.com/buildkite-plugins/junit-annotate-buildkite-plugin/blob/97d3bdea7c325bedf8c704cfc3047d201799da88/hooks/command#L113
Obviously, filtering the
annotate
command will only resolve part of the problem we faced in this particular instance; the secret was still in plain text in the artifact attached to the build step, and also in Test Analytics, so consideration may need to be made for that separately.The text was updated successfully, but these errors were encountered: