Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow uploading pipelines containing interpolated secrets by default #1593

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+9 −9
Open

Disallow uploading pipelines containing interpolated secrets by default #1593

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions clicommand/pipeline_upload.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ type PipelineUploadConfig struct {
DryRun bool `cli:"dry-run"`
NoInterpolation bool `cli:"no-interpolation"`
RedactedVars []string `cli:"redacted-vars" normalize:"list"`
RejectSecrets bool `cli:"reject-secrets"`
AllowSecrets bool `cli:"allow-secrets"`

// Global flags
Debug bool `cli:"debug"`
Expand Down Expand Up @@ -99,9 +99,9 @@ var PipelineUploadCommand = cli.Command{
EnvVar: "BUILDKITE_PIPELINE_NO_INTERPOLATION",
},
cli.BoolFlag{
Name: "reject-secrets",
Usage: "When true, fail the pipeline upload early if the the pipeline contains secrets",
EnvVar: "BUILDKITE_AGENT_PIPELINE_UPLOAD_REJECT_SECRETS",
Name: "allow-secrets",
Usage: "When true, allows the uploaded pipeline to be uploaded when it has interpolated secrets. Included for compatibility with Agent v3, using this flag is insecure.",
EnvVar: "BUILDKITE_AGENT_PIPELINE_UPLOAD_ALLOW_SECRETS",
},

// API Flags
Expand Down Expand Up @@ -251,12 +251,12 @@ var PipelineUploadCommand = cli.Command{
}

if len(secretsFound) > 0 {
if cfg.RejectSecrets {
l.Fatal("Pipeline %q contains values interpolated from the following secret environment variables: %v, and cannot be uploaded to Buildkite", src, secretsFound)
if cfg.AllowSecrets {
l.Warn("Pipeline %q contains values interpolated from the following secret environment variables: %v, which could leak sensitive information into the Buildkite UI", src, secretsFound)
l.Warn("This pipeline will still be uploaded, because you've used the `--allow-secrets flag or the `BUILDKITE_AGENT_PIPELINE_UPLOAD_ALLOW_SECRETS` environment variable.")
l.Warn("This behaviour is insecure, and may be removed in a future version of the agent")
} else {
l.Warn("Pipeline %q contains values interpolated from the following secret environment variables: %v, which could leak sensitive information into the Buildkite UI.", src, secretsFound)
l.Warn("This pipeline will still be uploaded, but if you'd like to to prevent this from happening, you can use the `--reject-secrets` cli flag, or the `BUILDKITE_AGENT_PIPELINE_UPLOAD_REJECT_SECRETS` environment variable, which will make the `buildkite-agent pipeline upload` command fail if it finds secrets in the pipeline.")
l.Warn("The behaviour in the above flags will become default in Buildkite Agent v4")
l.Fatal("Pipeline %q contains values interpolated from the following secret environment variables: %v, and cannot be uploaded to Buildkite", src, secretsFound)
}
}
}
Expand Down