Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.


This reply, while useful, only serves to obfuscate and doesn’t actually answer the question.

You can store the credentials in a key vault but then post them on pastebin. The issue is that the individual runner has the key in its environment variables. Both can be true- the key can be given to the runner in env and the key is stored in a key vault.

The important distinction here is - have you removed the master key and other sensitive credentials from the environment passed into scanners that come in contact with customer untrusted code??


Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: