Skip to content

fix: add no_log and harden gitignore#32

Merged
burigolucas merged 7 commits into
redhat-cop:mainfrom
stevefulme1:fix/ci-security-vulnerabilities
Jul 2, 2026
Merged

fix: add no_log and harden gitignore#32
burigolucas merged 7 commits into
redhat-cop:mainfrom
stevefulme1:fix/ci-security-vulnerabilities

Conversation

@stevefulme1

@stevefulme1 stevefulme1 commented Apr 19, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Security: no_log: true added to tasks handling credentials (aap_subscription.yml, aap_seed/main.yml, mtv_query_inventory.yml, install.yml, _storage.yml, _perform_operation.yml) to prevent secret leakage in Ansible logs
  • Security: .gitignore hardened — added *.pem and *.key exclusions
  • Docs: Standardized CODE_OF_CONDUCT.md, SECURITY.md, and license reference formatting
  • Removed COPYING file (duplicate of existing LICENSE)

Original CI workflow fixes (gitleaks.yml shell injection, slack-pr-notifications.yml pull_request_target) are no longer applicable — those workflow files were removed from main in subsequent upstream commits.

Test plan

  • Rebased on latest main
  • COPYING file removed per reviewer feedback
  • Verify credential values not visible in ansible output logs
  • Verify .gitignore excludes *.pem and *.key files

@spyrexd spyrexd left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this supersede #31 ?

spyrexd
spyrexd previously approved these changes May 19, 2026
@sabre1041

Copy link
Copy Markdown
Contributor

@stevefulme1 this looks good. Only outstanding item is that there is a COPYING file that appears to be almost exactly the same as the LICENSE. One we resolve this discussion, we should be able to integrate these changes

@stevefulme1 stevefulme1 force-pushed the fix/ci-security-vulnerabilities branch from 1ad6cb6 to b57a786 Compare June 30, 2026 12:21
@stevefulme1 stevefulme1 changed the title fix(ci): patch shell injection and unsafe pull_request_target fix(security): add no_log to credential tasks, harden .gitignore, standardize docs Jun 30, 2026
@stevefulme1

Copy link
Copy Markdown
Contributor Author

@sabre1041 Done — COPYING removed, rebased on latest main, and updated the PR description to reflect current scope (the original CI workflow files no longer exist upstream so those fixes dropped off naturally during rebase).

Sorry about the delay — I thought I had already addressed this!

@sabre1041

Copy link
Copy Markdown
Contributor

@sabre1041 Done — COPYING removed, rebased on latest main, and updated the PR description to reflect current scope (the original CI workflow files no longer exist upstream so those fixes dropped off naturally during rebase).

Sorry about the delay — I thought I had already addressed this!

we're so close! PR title is now too log (its always something....)

@stevefulme1 stevefulme1 changed the title fix(security): add no_log to credential tasks, harden .gitignore, standardize docs fix(security): add no_log and harden gitignore Jul 1, 2026
Comment thread SECURITY.md
@stevefulme1 stevefulme1 changed the title fix(security): add no_log and harden gitignore fix: add no_log and harden gitignore Jul 2, 2026
@stevefulme1

Copy link
Copy Markdown
Contributor Author

@sabre1041 Shortened the PR title to fix: add no_log and harden gitignore — dropped the (security) scope to match the repo convention.

@burigolucas Added the Security Policy link to the README Documentation section. Thanks for the catch!

@burigolucas burigolucas merged commit 387ebfd into redhat-cop:main Jul 2, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants