Never store credentials as code/config in Azure Repos
The following is a best practice guideline from our series of 8 Azure Repos security best practices
1. Never store credentials as code/config in Azure Repos
There are a bunch of great tools available, like git-secrets, that can statically analyze your commits, via a pre-commit Git Hook to ensure you’re not trying to push any passwords or sensitive information into your Azure Repos repository. Commits are rejected if the tool matches any of the configured regular expression patterns that indicate that sensitive information has been stored improperly. This may slow down pushes a tiny bit, but it’s well worth it. Additionally, CredScan, a plugin to Azure Pipelines, can detect credentials that are being introduced into pull requests during the PR validation build process. Note, this tool is currently in preview.
Having team-wide rules that prevent credentials from being stored as code is a great way to police bad actions in the existing developer workflow. There are internal tools like Azure KeyVault that allow you to store your keys in a Vault. If you’d like to use a secure variable storage in Azure Pipelines and inject your secrets into your pipeline securely during deployment.
There are many ways to avoid putting credentials into your repository in the first place, and you should try to implement as many as you can; however there’s always the chance some sensitive information may sneak in. You should also consider regularly auditing your repos, making use of tools like GitRob or truffleHog, both of which scan through your codebase, searching for sensitive information via pattern matching.
Continue reading the list of 8 Azure Repos security best practices:
- Never store credentials as code/config in Azure Repos
- Remove sensitive data in your files and Azure Repos history
- Tightly control access
- Add a SECURITY.md file
- Use Personal Access Tokens
- Provide granular permissions and groups for users
- Add security testing to Pull Requests
- Rotate SSH keys and personal access tokens
If you haven’t done so yet, make sure you download this cheat sheet now and pin it up, so your future decisions are secure decisions!