Azure Devops 服务连接如何安全?
How are Azure Devops service connections secure?
目前,我审核 Azure Devops 服务连接的安全性:存储在服务连接中的凭据有多安全?
例如 TwineAuthenticate 任务。它将从服务连接中提取凭据 pythonUploadServiceConnection 并将它们写入 PyPI 资源文件。
或者是吗?
检查此文件(编辑)
- script: |
cat $(PYPIRC_PATH)
显示用户和密码的值为 ***,这不是服务连接提供的凭据。
那么 twine 读取 PyPI 资源文件时发生了什么魔法?这是安全的还是只是混淆了?
Azure DevOps 掩盖你对可变性质的了解。本文是关于 github action 但您可以对 Azure DevOps 应用相同的规则。
请在docs
中查看这里
We make an effort to mask secrets from appearing in Azure Pipelines output, but you still need to take precautions. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.
We never mask substrings of secrets. If, for example, "abc123" is set as a secret, "abc" isn't masked from the logs. This is to avoid masking secrets at too granular of a level, making the logs unreadable. For this reason, secrets should not contain structured data. If, for example, "{ "foo": "bar" }" is set as a secret, "bar" isn't masked from the logs.
目前,我审核 Azure Devops 服务连接的安全性:存储在服务连接中的凭据有多安全?
例如 TwineAuthenticate 任务。它将从服务连接中提取凭据 pythonUploadServiceConnection 并将它们写入 PyPI 资源文件。
或者是吗?
检查此文件(编辑)
- script: |
cat $(PYPIRC_PATH)
显示用户和密码的值为 ***,这不是服务连接提供的凭据。
那么 twine 读取 PyPI 资源文件时发生了什么魔法?这是安全的还是只是混淆了?
Azure DevOps 掩盖你对可变性质的了解。本文是关于 github action 但您可以对 Azure DevOps 应用相同的规则。
请在docs
中查看这里We make an effort to mask secrets from appearing in Azure Pipelines output, but you still need to take precautions. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.
We never mask substrings of secrets. If, for example, "abc123" is set as a secret, "abc" isn't masked from the logs. This is to avoid masking secrets at too granular of a level, making the logs unreadable. For this reason, secrets should not contain structured data. If, for example, "{ "foo": "bar" }" is set as a secret, "bar" isn't masked from the logs.