Major Epic Goal
- Update Quay pull secrets to be uniquely identifiable via regex so that they can be caught by GitHub in the event of an accidental commit.
Why is this important?
- GitHub is a public version control system that is constantly scanned for leaked credentials. GitHub has rolled out a secret scanning program that allows application owners to partner with GitHub to identify and block unique tokens. It is imperative that Quay participate in this program so that it can offer additional security guarantees to users, e.g., if a Quay pull secret is leaked, it can be easily identified via regex and blocked from public access without additional user intervention.
Scenarios
- When a user tries to push a Quay pull secret to a public GitHub repository, GitHub is able to block that push.
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- ...
Open questions::
- Is there a way to update existing secrets to be uniquely identifiable without radically changing the secret?
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>