Summary
Compiled Copilot workflows can emit:
COPILOT_API_KEY: dummy-byok-key-for-offline-mode
This is not a real credential, but generated .lock.yml files now contain an *_API_KEY assignment with a non-empty token-like value.
Actual
Repo/template secret scans flag the generated value unless downstream projects add an allowlist.
Expected
Avoid secret-shaped generated artifacts when possible.
Acceptable fixes could include:
- use a non-secret-shaped sentinel
- use a different env var name for the offline/BYOK marker
- emit an empty value if runtime behavior allows it
- document this exact generated value as safe to allowlist
Why it matters
Generated lock files are committed and exported into template repos. Requiring scanner exceptions for generated dummy keys weakens secret-scanning signal.
Related
Related but distinct from #30324, #30632, and #26543. Those cover runtime/BYOK behavior. This issue is about generated artifact hygiene and scanner false positives.
Summary
Compiled Copilot workflows can emit:
This is not a real credential, but generated
.lock.ymlfiles now contain an*_API_KEYassignment with a non-empty token-like value.Actual
Repo/template secret scans flag the generated value unless downstream projects add an allowlist.
Expected
Avoid secret-shaped generated artifacts when possible.
Acceptable fixes could include:
Why it matters
Generated lock files are committed and exported into template repos. Requiring scanner exceptions for generated dummy keys weakens secret-scanning signal.
Related
Related but distinct from #30324, #30632, and #26543. Those cover runtime/BYOK behavior. This issue is about generated artifact hygiene and scanner false positives.