Skip to content

app-settings #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

app-settings #9

wants to merge 1 commit into from

Conversation

@Ngwerume
Copy link
Contributor

No description provided.

codacy-production[bot]
codacy-production bot reviewed Oct 16, 2025
View reviewed changes
appsettings.json
"OnlinePaymentProcessorConfig": {
"URI": "https://localhost:44303/",
"ApplicationId": "ContosoWebPortal",
"IdentitySharedSecret": "pL9mN3oQ6rS2tU8vW1xY5zA7bC4dE9fG2hI6jK3lM8n=",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 Codacy found a high Security issue: Base64 High Entropy String

The issue identified by the Checkov linter is related to the presence of a high-entropy string in the JSON configuration, specifically the IdentitySharedSecret. High-entropy strings, such as cryptographic keys or secrets, should not be hardcoded in source code or configuration files, as they can be extracted by malicious actors if the codebase is compromised. Instead, these sensitive values should be stored securely, using environment variables or secret management tools.

To mitigate this security risk, the IdentitySharedSecret should be replaced with a reference to an environment variable that holds the secret value. This keeps the sensitive information out of the source code.

Here’s the suggested code change:

Suggested change
"IdentitySharedSecret": "pL9mN3oQ6rS2tU8vW1xY5zA7bC4dE9fG2hI6jK3lM8n=",
"IdentitySharedSecret": "${IDENTITY_SHARED_SECRET}",

In this suggestion, ${IDENTITY_SHARED_SECRET} is assumed to be an environment variable that stores the actual secret value securely. Make sure to configure your application to read this environment variable appropriately.

This comment was generated by an experimental AI tool.

codacy-production[bot]
codacy-production bot reviewed Oct 16, 2025
View reviewed changes
appsettings.json
"URI": "https://localhost:44303/",
"ApplicationId": "ContosoWebPortal",
"IdentitySharedSecret": "pL9mN3oQ6rS2tU8vW1xY5zA7bC4dE9fG2hI6jK3lM8n=",
"HashSecret": "tU7vW2xY6zA1bC5dE9fG3hI8jK2lM6nO1pQ5rS9tU3vW7xY2zA6bC1dE5fG9hI4jK8lM2nO6pQ1rS5tU9vW4xY8zA2bC6dE1fG5hI9jK3lM7nO2pQ6rS1tU5vW9xY3zA7bC2dE6fG1hI5jK9lM3nO7pQ2rS6tU1vW5xY9zA4bC8dE2fG6hI1jK5lM9nO3pQ7rS2tU6vW1xY5zA9bC3dE7fG2hI6jK1lM5nO9pQ3rS7tU2vW6xY1zA5bC9dE3fG7hI2jK6lM1nO5pQ9rS3tU7vW2xY6zA1bC5dE9fG3hI7jK2lM6nO1pQ5rS9tU3vW7xY2zA6bC1dE5fG9hI4jK8lM2nO6pQ1rS5tU9vW4xY8zA2bC6dE1fG5hI9jK3lM7nO2pQ6rS1tU5vW9xY3zA7bC2dE6fG1hI5jK9lM3nO7pQ2rS6tU1vW5xY9zA4bC8dE2fG6hI1jK5lM9nO3pQ7rS2tU6vW1xY5zA9bC3dE7fG2hI6jK1lM5nO9pQ3rS7tU2vW6xY1zA5bC9dE3fG7hI2jK6lM1nO5pQ9rS3tU7vW2xY6zA=="
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 Codacy found a high Security issue: Base64 High Entropy String

The issue identified by the Checkov linter is related to the presence of a high-entropy base64-encoded string in the HashSecret field. High-entropy strings, especially those that are base64-encoded, can indicate sensitive data such as cryptographic keys or secrets. Storing such sensitive information in plaintext within configuration files can lead to security vulnerabilities, as it increases the risk of exposure.

To address this issue, it is recommended to store sensitive information like HashSecret in a secure environment variable or a secrets management system instead of hardcoding it in the configuration file. This way, the sensitive information is not exposed in the source code, reducing the risk of accidental leaks.

Here’s a code suggestion to replace the HashSecret with a placeholder that indicates it should be retrieved from an environment variable:

Suggested change
"HashSecret": "tU7vW2xY6zA1bC5dE9fG3hI8jK2lM6nO1pQ5rS9tU3vW7xY2zA6bC1dE5fG9hI4jK8lM2nO6pQ1rS5tU9vW4xY8zA2bC6dE1fG5hI9jK3lM7nO2pQ6rS1tU5vW9xY3zA7bC2dE6fG1hI5jK9lM3nO7pQ2rS6tU1vW5xY9zA4bC8dE2fG6hI1jK5lM9nO3pQ7rS2tU6vW1xY5zA9bC3dE7fG2hI6jK1lM5nO9pQ3rS7tU2vW6xY1zA5bC9dE3fG7hI2jK6lM1nO5pQ9rS3tU7vW2xY6zA1bC5dE9fG3hI7jK2lM6nO1pQ5rS9tU3vW7xY2zA6bC1dE5fG9hI4jK8lM2nO6pQ1rS5tU9vW4xY8zA2bC6dE1fG5hI9jK3lM7nO2pQ6rS1tU5vW9xY3zA7bC2dE6fG1hI5jK9lM3nO7pQ2rS6tU1vW5xY9zA4bC8dE2fG6hI1jK5lM9nO3pQ7rS2tU6vW1xY5zA9bC3dE7fG2hI6jK1lM5nO9pQ3rS7tU2vW6xY1zA5bC9dE3fG7hI2jK6lM1nO5pQ9rS3tU7vW2xY6zA=="
"HashSecret": "${HASH_SECRET_ENV_VARIABLE}"

In this suggestion, ${HASH_SECRET_ENV_VARIABLE} should be replaced with the actual environment variable name that holds the HashSecret value when the application is deployed.

This comment was generated by an experimental AI tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ngwerume