Handle secret redaction in policy XML #199
Merged
Merged
Conversation
Copilot
AI
changed the title
[WIP] Fix hardcoded secrets in policy XML not redacted
Redact inline secrets in extracted policy XML and block publish of redacted policies
Jun 29, 2026
EMaher
requested changes
Jun 29, 2026
EMaher
left a comment
Contributor
There was a problem hiding this comment.
I don't see code to handle JWT Bearer tokens.
Copilot
AI
changed the title
Redact inline secrets in extracted policy XML and block publish of redacted policies
Handle JWT bearer tokens in policy XML redaction
Jun 29, 2026
Add Write-Host section headers and Write-Verbose breadcrumbs across all redact-secrets integration phases (deploy, extract, validate, teardown) and the orchestrator for easier test debugging. Fix Set-ScriptLogPreferences in ScriptRuntime.psm1 to set the caller's VerbosePreference/DebugPreference via $PSCmdlet.SessionState. The previous Set-Variable -Scope 1 from a module function only affected the module's scope chain, so Write-Verbose output was silently suppressed. Wire LogLevel/Set-ScriptLogPreferences into phase 4 teardown and the orchestrator so their verbose output is honored, and broaden the integration-test .gitignore patterns to cover all integration subdirs.
EMaher
approved these changes
Jul 1, 2026
petehauge
approved these changes
Jul 1, 2026
petehauge
left a comment
Collaborator
There was a problem hiding this comment.
Some comments sent in teams- thanks!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces comprehensive support for secret redaction in policy extraction and publishing workflows, and adds a new integration test for redaction. The main changes ensure that extracted policy files have secrets redacted, and that publishing is strictly blocked if any redaction markers remain. This prevents accidental exposure of secrets and enforces best practices for secret management. Additionally, documentation and test workflows have been updated to reflect and validate these changes.
Secret Redaction and Enforcement:
extractApiPolicy,extractApiOperations,extractGraphQLResolvers,extractServicePolicy,extractProductPolicy) now useredactAndWarnPolicySecretsto redact secrets from policy content before writing to disk or returning content. [1] [2] [3] [4] [5]runPublishinpublish-service.ts) performs a pre-flight scan for redaction markers (*** REDACTED ***) in all artifacts to be published, aborting the entire publish if any are found, including in dry-run mode.publishPolicyinresource-publisher.ts) performs a fail-safe check for redaction markers after overrides are applied, blocking publishing if any remain. [1] [2]Integration Test and Documentation Updates:
integration-redact-secrets.yml) has been added to test the redaction and publishing guard end-to-end, including parameterization and Azure login..squad/agents/apimexpert/history.mdhave been updated to cover the new workflow and clarify best practices for handling redacted secrets and policy overrides. [1] [2]Refactoring and Exports:
POLICY_TYPESset is now exported for broader use in the codebase.redactAndWarnPolicySecretsand related helpers have been added where necessary. [1] [2] [3] [4] [5]These changes collectively ensure that secrets are never published accidentally and provide clear guidance and test coverage for handling redacted secrets in API Management workflows.
policy.xmlredaction handledAuthorizationheaders as all-or-nothing values, which missed the common****** shape called out in review. This update redacts literal bearer tokens without stripping theBearer` scheme and preserves named value-backed bearer headers.Authorization header redaction
Authorizationvalues in the form `************ REDACTED ***Named value preservation
Regression coverage
secret-redactorunit coverage for literal bearer tokens and named value-backed bearer headersBearerprefix