chore(security): make TLS cert/key placeholders obvious for secret scanning#183
Open
kriscoleman wants to merge 1 commit into
Open
chore(security): make TLS cert/key placeholders obvious for secret scanning#183kriscoleman wants to merge 1 commit into
kriscoleman wants to merge 1 commit into
Conversation
…et-scanning
The mlflow chart and the self-signed-vs-user-provided-tls pattern shipped empty
PEM blocks as example TLS values:
cert: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
GitHub secret scanning flags these (generic private key) even though they're
empty, which clutters the security reports and makes audits noisier. Replace
them with empty-string defaults and a comment that makes the placeholder intent
explicit, so there are no PEM markers to flag and it's obvious to an auditor
that nothing real is committed. Regenerated the mlflow helm-docs README table to
match.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cleaning up the TLS placeholders that keep tripping secret scanning.
The mlflow chart and the self-signed-vs-user-provided-tls pattern shipped example TLS config with empty PEM blocks (
-----BEGIN PRIVATE KEY-----then-----END PRIVATE KEY-----with nothing in between). They aren't real keys, but secret scanning flags the markers anyway, which just adds noise to the security reports and makes audits harder than they need to be.This swaps them for empty-string defaults with a comment that spells out the placeholder intent, so there's no PEM marker left to flag and it's obvious to an auditor that nothing real is here. I also regenerated the mlflow helm-docs README table to match.
That clears the live alerts on
applications/mlflow/charts/mlflow/values.yamlandpatterns/self-signed-vs-user-provided-tls/README.md.One more for the record: the other alert points at
applications/cassandra/charts/cassandra/templates/cassandra-tls-secret.yaml, which had an actual example key in it. That cassandra app has since been removed frommain, so the key only lives in git history now, nothing left in the tree to change. I think we just dismiss that one (example key, app already removed) rather than rewrite history for a sample chart. 🤔🤖 Generated with Claude Code