feat: Add audit log output #111

Laugslander · 2023-12-20T09:21:14Z

Adds the audit_log output parameter that captures audit log information in a list of JSON objects. Fixes #110

An audit log object contains the following properties:

repo: string
target: string
action: string
secret_name: string
secret_hash: string
environment: string
dry_run: boolean

The secret_hash contains the hashed password. This can be used to track whether a secret actually changes.
Optionally, a custom salt can be provided via the audit_log_hashing_salt to make it more difficult to reverse engineer the secret.

This functionality might be a bit specific for our project's needs. If it is useful for the greater public, feel free to merge. It does not introduce any breaking changes.

jpoehnelt

I'm concerned about the handling of the case where a salt has not been provided. As far as I can tell this would mean the hash(value, "") would show up in the logs.

__tests__/main.test.ts

jpoehnelt · 2024-01-05T21:50:50Z

I'm concerned about the handling of the case where a salt has not been provided. As far as I can tell this would mean the hash(value, "") would show up in the logs.

Following up on this to see what your thoughts are?

Laugslander · 2024-01-08T09:02:24Z

I'm concerned about the handling of the case where a salt has not been provided. As far as I can tell this would mean the hash(value, "") would show up in the logs.

Following up on this to see what your thoughts are?

You are right, the unsalted hashed value is printed in the logs.
As a mitigation, I now use the GITHUB_REPOSITORY_ID as the default salt value. What do you think?

Laugslander added 28 commits December 13, 2023 11:47

Add audit_log output

06f8ed1

Update dist

0fb5e6d

Property shorthand

24293f5

Improve typing

23865ee

Run prettier

32ba867

Update dist

59cd832

Export variable

59c274a

Update dist

672202c

Set output

439fe16

actions/checkout@v4

eece747

Improve test

50a64c7

@actions/core:^1.1.0

e15e35a

Improve test

dd0d975

Update dist

c7e1822

Replace tweetsodium with libsodium and hash secrets

0df87bb

Revert tweetsodium replacement

169a0d0

Update packages

4599c97

Update dist

d8f8180

Mock @actions/core to suppress core.setFailed error logging

3e14f53

Run prettier

59f42f1

Test audit log

dffac76

Update docs

5588475

Switch to SHA 512

8b090f6

Add salt input for hash function

f8e7284

"@typescript-eslint/no-unused-vars": "off"

fdc5a09

Update AuditLog property ordering

d07aadc

Order variables

1db1800

Address review comments

000a539

Laugslander changed the title ~~Add audit log output~~ feat: Add audit log output Dec 20, 2023

jpoehnelt reviewed Dec 27, 2023

View reviewed changes

__tests__/main.test.ts Outdated Show resolved Hide resolved

Remove unused import

36f6627

Use GITHUB_REPOSITORY_ID as default salt

bad1d82

Laugslander force-pushed the feature/auditability branch from ae4b571 to bad1d82 Compare January 8, 2024 08:57

Laugslander added 2 commits January 8, 2024 09:59

Run prettier

c39ca3b

Update dist

5f42733

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add audit log output #111

feat: Add audit log output #111

Laugslander commented Dec 20, 2023

jpoehnelt left a comment

jpoehnelt commented Jan 5, 2024

Laugslander commented Jan 8, 2024

feat: Add audit log output #111

Are you sure you want to change the base?

feat: Add audit log output #111

Conversation

Laugslander commented Dec 20, 2023

jpoehnelt left a comment

Choose a reason for hiding this comment

jpoehnelt commented Jan 5, 2024

Laugslander commented Jan 8, 2024