Secrets Not Removed From Artifacts

Legacy Security
#1

Hello,

We have recently discovered that certain Artifacts created from DACPAC’s reports only deployments (.SQL scripts) can often show the credentials/passwords when re attached back into Octopus.

What we know Octopus does well is hiding any secrets in any verbose log out put it shows on screens, what we have found though is that when pulling back .SQL the service accounts and secrets used to run the DACPAC etc are showing in plain text when re attached.

Is it possible that Octopus can or should screen and replace any secrets in the Artifacts attached ?

At the moment we have had to disable Artifact viewing for non authorized users ( those who have clearance to see the secrets (DBA’s etc)), as well as run custom Artifact clean up scripts to remove any secrets in existing files and new ones as we move forward.

Thanks in advance
Kurt

#2

Hi Kurt,

Thanks for getting in touch. We don’t have anything built-in which will scrub artifacts as they are added to Octopus. It is interesting food for thought. Scrubbing artifacts automatically could have unintended side effects, but I could imagine something like New-OctopusArtifact -Path "report.txt" -ScrubSensitiveValues would be convenient so you could opt-in to have Octopus scrub the file on your behalf.

In the meantime I would suggest doing the scrubbing yourself on the deployment target or worker just before adding the artifact.

I’ve reworked our Artifacts documentation in case it can help you or someone else in the future.

If you think this is something we should build in to Octopus, feel free to add a suggestion to our UserVoice with any context you think would help get the vote count up.

Hope that helps!
Mike

#3

Morning Mike,

That would be ideal!, its only come to light as of late so we are in the process of adding some automated scrubbing in :slight_smile:

Ill have a look at suggestion to UserVoice :slight_smile:

Cheers
Kurt

1 Like