We have recently discovered that certain Artifacts created from DACPAC’s reports only deployments (.SQL scripts) can often show the credentials/passwords when re attached back into Octopus.
What we know Octopus does well is hiding any secrets in any verbose log out put it shows on screens, what we have found though is that when pulling back .SQL the service accounts and secrets used to run the DACPAC etc are showing in plain text when re attached.
Is it possible that Octopus can or should screen and replace any secrets in the Artifacts attached ?
At the moment we have had to disable Artifact viewing for non authorized users ( those who have clearance to see the secrets (DBA’s etc)), as well as run custom Artifact clean up scripts to remove any secrets in existing files and new ones as we move forward.
Thanks in advance