This repository was archived by the owner on Jun 5, 2025. It is now read-only.
Obfuscate secrets before sending a snippet out for analysis#332
Merged
jhrozek merged 3 commits intostacklok:mainfrom Dec 17, 2024
Merged
Obfuscate secrets before sending a snippet out for analysis#332jhrozek merged 3 commits intostacklok:mainfrom
jhrozek merged 3 commits intostacklok:mainfrom
Conversation
Contributor
|
Good idea! We can use the same class to obfuscate the secrets before persisting in the DB. |
jhrozek
force-pushed
the
secrets_obfuscate
branch
from
11dc56f to
e1113dc
Compare
jhrozek
changed the title
jhrozek
force-pushed
the
secrets_obfuscate
branch
from
e1113dc to
fef6824
Compare
Contributor
Author
|
This is now ready for review. @aponcedeleonch could you please test if I rebased atop your changes to how secrets are stored in the DB and alerts? I hope I didn't break anything. |
aponcedeleonch
approved these changes
Dec 16, 2024
This was manifesting in tests - if we kept loading signatures, they were being added to the list of signatures, which was causing double matches
Instead of coding up the secret encryption directly in the Pipeline step, let's split it out into a class of its own based on its own. The actual method that changes the secret is pluggable, for encryption where we need to get the secret value back we use the method we had used in the pipeline step. For things like extracting packages from a code snippet where we don't need to retrieve the original value we just replace the secret with a fixed number of asterisks.
We use the previously added SecretsObfuscator to hide the secrets before passing them to an LLM.
jhrozek
force-pushed
the
secrets_obfuscate
branch
from
fef6824 to
45159c8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Load signatures only once - This was manifesting in tests - if we kept loading signatures, they were being added to the list of signatures, which was causing double matches
Split out secret obfuscation into reusable classes - Instead of coding up the secret encryption directly in the Pipeline step, let's split it out into a class of its own based on its own. The actual method that changes the secret is pluggable, for encryption where we need to get the secret value back we use the method we had used in the pipeline step. For things like extracting packages from a code snippet where we don't need to retrieve the original value we just replace the secret with a fixed number of asterisks.
Obfuscate secrets in code snippet before the code extraction step - We use the previously added SecretsObfuscator to hide the secrets before passing them to an LLM.