| ▲ | curuinor 6 days ago | |
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key. | ||
| ▲ | ipython 6 days ago | parent | next [-] | |
This reply, while useful, only serves to obfuscate and doesn’t actually answer the question. You can store the credentials in a key vault but then post them on pastebin. The issue is that the individual runner has the key in its environment variables. Both can be true- the key can be given to the runner in env and the key is stored in a key vault. The important distinction here is - have you removed the master key and other sensitive credentials from the environment passed into scanners that come in contact with customer untrusted code?? | ||
| ▲ | thyrfa 6 days ago | parent | prev [-] | |
Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var | ||