Forum Discussion

barto's avatar
barto
New Contributor
9 months ago
Solved

How are you securing secrets for storing your projects in github?

We're trying to migrate our ReadyAPI suites into github and I'm getting a little stuck with ReadyAPI's documentation on how to encrypt passwords we use to test our application, I'm hoping someone has...
Configuration
Function Tests
SOAP
Test Setup
  • KarelHusa's avatar
    KarelHusa
    9 months ago

    barto,

    in the case of encrypted properties, you can set up a project-level property (e.g., MyAppSecret) and then use it in the Auth manager as well:

     

    ${#Project#MyAppSecret}

    The property is used in Auth manager requests and masked in the logs, at least in the logs I tried.

     

    Moreover, you can override the propery value from the command line, e.g., when you execute the test from the pipeline. So, for some environments you can include the secret and inject in the pipeline for others.

     

    Though, if the secret fields from Auth manager would be treated as sensitive and encrypted by default we wouldn't need this. You can raise a feature request for this.

     

nmrao's avatar
nmrao
Champion Level 3
9 months ago

You can use the project level property, as KarelHusa suggests,  to hold the data, but the value of the sensitive data should be emptied (irrespective of value being encrypted or not) before pushing the project to repository or sharing with other people.

 

One can provide the property value either by command line as KarelHusa said, or using the property file without modifying the project.

This way, each engineer can use their credentials when executed on their machine.

However, if the execution is on common machine such as CI/CD, it may not work because the commands are logged.

 

Otherway is to use public key if supported or to have a common special(non-human) user for build pipeline purpose so that it does not affect even if every one knows the credentials.

  • KarelHusa's avatar
    KarelHusa
    Champion Level 3
    9 months ago

    nmrao, good points. 

     

    In CI/CD pipeline you can also use secrets that will be masked in pipeline logs.

     

    Sensitive information must be treated as secret at all levels: CI/CD execution, inside ReadyAPI, server logs, etc.