Tags: microsoft/azure-pipelines-agent
Tags
Use Microsoft.Security.Utilities.Core package for the 'new' secret ma… …sker (#5169) When a new feature flag `DistributedTask.Agent.EnableNewMaskerAndRegexes` is enabled, a new corresponding agent knob `AZP_ENABLE_NEW_MASKER_AND_REGEXES` is turned on, we replace the use of `Microsoft.TeamFoundation.DistributedTask.Logging.SecretMasker` with `Microsoft.Security.Utilities.SecurityMasker` from the https://www.nuget.org/packages/Microsoft.Security.Utilities.Core package and https://github.com/microsoft/security-utilities repo. This flag also enables the package's `WellKnownRegexPatterns.PreciselyClassifiedSecurityKeys` regex patterns. This class of pattern has high confidence, effectively admitting no false positives. It is also strongly oriented on detecting the latest Azure provider API key formats. The new knob/flag pair replaces `DistributedTask.Agent.UseMaskingPerformanceEnhancements`/`AZP_ENABLE_NEW_SECRET_MASKER`, which would use a built-in `SecretMasker` that was implemented in this repo, along with a subset of the aforementioned `PreciselyClassifiedSecurityKeys` patterns also re-implemented in this repo. That code is therefore deleted in this change. Note that in the absence of feature flags, the default behavior remains unchanged. Benchmarking shows masking with the new feature enabled outperforming masking with it disabled even though the new feature also brings the added value of 30 additional patterns. Co-authored-by: Michael C. Fanning <mikefan@microsoft.com>
Use Microsoft.Security.Utilities.Core package for the 'new' secret ma… …sker (#5169) When a new feature flag `DistributedTask.Agent.EnableNewMaskerAndRegexes` is enabled, a new corresponding agent knob `AZP_ENABLE_NEW_MASKER_AND_REGEXES` is turned on, we replace the use of `Microsoft.TeamFoundation.DistributedTask.Logging.SecretMasker` with `Microsoft.Security.Utilities.SecurityMasker` from the https://www.nuget.org/packages/Microsoft.Security.Utilities.Core package and https://github.com/microsoft/security-utilities repo. This flag also enables the package's `WellKnownRegexPatterns.PreciselyClassifiedSecurityKeys` regex patterns. This class of pattern has high confidence, effectively admitting no false positives. It is also strongly oriented on detecting the latest Azure provider API key formats. The new knob/flag pair replaces `DistributedTask.Agent.UseMaskingPerformanceEnhancements`/`AZP_ENABLE_NEW_SECRET_MASKER`, which would use a built-in `SecretMasker` that was implemented in this repo, along with a subset of the aforementioned `PreciselyClassifiedSecurityKeys` patterns also re-implemented in this repo. That code is therefore deleted in this change. Note that in the absence of feature flags, the default behavior remains unchanged. Benchmarking shows masking with the new feature enabled outperforming masking with it disabled even though the new feature also brings the added value of 30 additional patterns. Co-authored-by: Michael C. Fanning <mikefan@microsoft.com>
PreviousNext