Skip to content

Fix Azure Storage Account Key false positives in secret redaction#18932

Merged
pelikhan merged 2 commits intomainfrom
copilot/redact-secrets-in-logs
Feb 28, 2026
Merged

Fix Azure Storage Account Key false positives in secret redaction#18932
pelikhan merged 2 commits intomainfrom
copilot/redact-secrets-in-logs

Conversation

Copy link
Contributor

Copilot AI commented Feb 28, 2026
edited
Loading

The built-in pattern for Azure Storage Account Keys matched any 88-char base64 string ending in ==, producing hundreds of false positives from base64-encoded content in agent log files (tool outputs, API responses, etc.). The pattern also used the wrong character count — real 64-byte Azure keys encode to 86 base64 chars, not 88.

Changes

  • Pattern specificity: Require AccountKey= connection string prefix, matching how Azure Storage keys actually appear in practice
  • Length fix: Correct the base64 character count from {88} to {86} (64 bytes → 86 base64 chars + ==)
  • Tests: Update existing test to use connection string context; add regression test verifying bare base64 strings are not falsely matched
- { name: "Azure Storage Account Key", pattern: /[a-zA-Z0-9+/]{88}==/g },
+ { name: "Azure Storage Account Key", pattern: /AccountKey=[a-zA-Z0-9+/]{86}==/g },
Original prompt

This section details on the original issue you should resolve

<issue_title>Redact Secrets in Logs reports Azure Storage Account Key</issue_title>
<issue_description>```
Redacted 220 occurrence(s) of Azure Storage Account Key
Processed /tmp/gh-aw/sandbox/agent/logs/process-1772317405746-154.log: 220 redaction(s)
Secret redaction complete: 220 redaction(s) in 1 file(s)


## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@pelikhan</author><body>
investigate this report </body></comment_new>
</comments>

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@github-actions github-actions bot mentioned this pull request Feb 28, 2026
Closed
@pelikhan
Fix Azure Storage Account Key false positives in log redaction (#issue)
72053a2 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Investigate Azure Storage Account Key redaction report Fix Azure Storage Account Key false positives in secret redaction Feb 28, 2026
@github-actions github-actions bot mentioned this pull request Feb 28, 2026
Closed
@pelikhan pelikhan marked this pull request as ready for review February 28, 2026 23:08
Copilot AI review requested due to automatic review settings February 28, 2026 23:08
Copilot AI reviewed Feb 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts Azure Storage Account Key detection to avoid widespread false positives when redacting secrets from agent logs.

Changes:

  • Tightens the Azure Storage Account Key regex to require AccountKey= connection string context.
  • Fixes the key length from {88} to {86}== to reflect 64-byte keys base64-encoded with padding.
  • Updates/extends tests to validate connection-string redaction and prevent redacting unrelated base64 strings.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
actions/setup/js/redact_secrets.cjs Refines the built-in Azure Storage Account Key regex for specificity and correct length.
actions/setup/js/redact_secrets.test.cjs Updates the Azure key test to use connection-string context and adds a regression test for bare base64 strings.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

actions/setup/js/redact_secrets.cjs

// Azure tokens
{ name: "Azure Storage Account Key", pattern: /[a-zA-Z0-9+/]{88}==/g },
{ name: "Azure Storage Account Key", pattern: /AccountKey=[a-zA-Z0-9+/]{86}==/g },
Copy link

Copilot AI Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex now includes AccountKey= in the match, and redactBuiltInPatterns replaces the entire match with ***REDACTED***, which removes the AccountKey= label from connection strings. If you want to keep the field name for readability and consistent redaction behavior (redact the secret value, not surrounding context), consider using a lookbehind so only the key is matched (e.g., require AccountKey= but match only the base64), or adjust the redaction logic to preserve the prefix via capture groups.

Suggested change
{ name: "Azure Storage Account Key", pattern: /AccountKey=[a-zA-Z0-9+/]{86}==/g },
{ name: "Azure Storage Account Key", pattern: /(?<=AccountKey=)[a-zA-Z0-9+/]{86}==/g },

Copilot uses AI. Check for mistakes.
actions/setup/js/redact_secrets.test.cjs
await eval(`(async () => { ${modifiedScript}; await main(); })()`);
const redacted = fs.readFileSync(testFile, "utf8");
expect(redacted).toBe("Azure Key: ***REDACTED***");
expect(redacted).toBe("DefaultEndpointsProtocol=https;AccountName=myaccount;***REDACTED***;EndpointSuffix=core.windows.net");
Copy link

Copilot AI Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This expected output drops the AccountKey= portion entirely because the regex matches the prefix too. If the intended behavior is to preserve the connection string key name (e.g., AccountKey=***REDACTED***), update the pattern/redaction approach accordingly and adjust this assertion to keep AccountKey= in the redacted string.

Suggested change
expect(redacted).toBe("DefaultEndpointsProtocol=https;AccountName=myaccount;***REDACTED***;EndpointSuffix=core.windows.net");
expect(redacted).toBe("DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=***REDACTED***;EndpointSuffix=core.windows.net");

Copilot uses AI. Check for mistakes.
actions/setup/js/redact_secrets.test.cjs
it("should not falsely redact plain base64 strings without AccountKey= context", async () => {
const testFile = path.join(tempDir, "test.txt");
// A different 86-char base64 string (not prefixed with AccountKey=) should NOT be redacted
const plainBase64 = "zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA9876543210/+zyxwvutsrqponmlkjiha==";
Copy link

Copilot AI Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment says this is an "86-char base64 string" but the literal plainBase64 here appears shorter than 86 base64 characters before the == padding (so it wouldn't exercise the intended boundary). Consider adjusting plainBase64 to be exactly 86 base64 chars + == to make this regression test meaningful for the Azure key-length case.

Suggested change
const plainBase64 = "zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA9876543210/+zyxwvutsrqponmlkjiha==";
const plainBase64 = "zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA9876543210/+zyxwvutsrqponmlkjihabc==";

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit b5969b8 into main Feb 28, 2026
108 checks passed
@pelikhan pelikhan deleted the copilot/redact-secrets-in-logs branch February 28, 2026 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Redact Secrets in Logs reports Azure Storage Account Key

3 participants

@pelikhan