Audit log event for expose secrets
pending feedback
F
Fond Grasshopper
Our security team has requested that it be recorded in an audit log when a secret is exposed via an export and is visible on the output tab.
Log In
F
Fond Grasshopper
While I do understand the best practice of handling secrets. We (and more so information security) need to know if someone exposes a secret so the audit log can be flagged and investigate the incident to determine if the act was malicious or not. We're about to expand our pipeline editor roles to a wider group and want to ensure best practices are being adhered to.
ompragash
updated the status to
pending feedback
ompragash
Please use the Secret type for CI output variables instead of exporting the secret as a plain output, since plain outputs can be visible in the Output Variables tab. Docs: https://developer.harness.io/docs/continuous-integration/use-ci/run-step-settings/#output-variables and refer section "Early access feature: Secret type selection"
Can you confirm if this satisfies the security requirement?