Skip to content

Handle secret redaction in policy XML #199

Merged
EMaher merged 11 commits into
mainfrom
copilot/fix-hardcoded-secrets-redaction
Jul 1, 2026
Merged

Handle secret redaction in policy XML #199
EMaher merged 11 commits into
mainfrom
copilot/fix-hardcoded-secrets-redaction

Conversation

Copilot AI commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces comprehensive support for secret redaction in policy extraction and publishing workflows, and adds a new integration test for redaction. The main changes ensure that extracted policy files have secrets redacted, and that publishing is strictly blocked if any redaction markers remain. This prevents accidental exposure of secrets and enforces best practices for secret management. Additionally, documentation and test workflows have been updated to reflect and validate these changes.

Secret Redaction and Enforcement:

  • All policy extraction functions (extractApiPolicy, extractApiOperations, extractGraphQLResolvers, extractServicePolicy, extractProductPolicy) now use redactAndWarnPolicySecrets to redact secrets from policy content before writing to disk or returning content. [1] [2] [3] [4] [5]
  • The publish workflow (runPublish in publish-service.ts) performs a pre-flight scan for redaction markers (*** REDACTED ***) in all artifacts to be published, aborting the entire publish if any are found, including in dry-run mode.
  • The policy publishing logic (publishPolicy in resource-publisher.ts) performs a fail-safe check for redaction markers after overrides are applied, blocking publishing if any remain. [1] [2]

Integration Test and Documentation Updates:

  • A new GitHub Actions workflow (integration-redact-secrets.yml) has been added to test the redaction and publishing guard end-to-end, including parameterization and Azure login.
  • The integration test prerequisites documentation and .squad/agents/apimexpert/history.md have been updated to cover the new workflow and clarify best practices for handling redacted secrets and policy overrides. [1] [2]

Refactoring and Exports:

  • The POLICY_TYPES set is now exported for broader use in the codebase.
  • Imports for redactAndWarnPolicySecrets and related helpers have been added where necessary. [1] [2] [3] [4] [5]

These changes collectively ensure that secrets are never published accidentally and provide clear guidance and test coverage for handling redacted secrets in API Management workflows.policy.xml redaction handled Authorization headers as all-or-nothing values, which missed the common ****** shape called out in review. This update redacts literal bearer tokens without stripping the Bearer` scheme and preserves named value-backed bearer headers.

  • Authorization header redaction

    • Detect Authorization values in the form `******
    • Rewrite literal tokens to ****** REDACTED ***
    • Preserve non-bearer authorization values under the existing redaction path
  • Named value preservation

    • Keep `****** unchanged so extracted policies continue to reference APIM named values correctly
    • Avoid treating named value references as inline secrets
  • Regression coverage

    • Extend secret-redactor unit coverage for literal bearer tokens and named value-backed bearer headers
    • Update API policy extraction expectations to reflect the preserved Bearer prefix
const { redactedContent } = redactPolicySecrets(`
  <set-header name="Authorization">
    <value>******
  </set-header>
`);

// => <value>****** REDACTED ***</value>

Copilot AI changed the title [WIP] Fix hardcoded secrets in policy XML not redacted Redact inline secrets in extracted policy XML and block publish of redacted policies Jun 29, 2026
Copilot AI requested a review from EMaher June 29, 2026 21:26

@EMaher EMaher left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see code to handle JWT Bearer tokens.

Copilot AI changed the title Redact inline secrets in extracted policy XML and block publish of redacted policies Handle JWT bearer tokens in policy XML redaction Jun 29, 2026
EMaher added 5 commits June 30, 2026 18:19
Add Write-Host section headers and Write-Verbose breadcrumbs across all
redact-secrets integration phases (deploy, extract, validate, teardown)
and the orchestrator for easier test debugging.

Fix Set-ScriptLogPreferences in ScriptRuntime.psm1 to set the caller's
VerbosePreference/DebugPreference via $PSCmdlet.SessionState. The previous
Set-Variable -Scope 1 from a module function only affected the module's
scope chain, so Write-Verbose output was silently suppressed.

Wire LogLevel/Set-ScriptLogPreferences into phase 4 teardown and the
orchestrator so their verbose output is honored, and broaden the
integration-test .gitignore patterns to cover all integration subdirs.
@EMaher EMaher requested a review from petehauge July 1, 2026 03:48
@EMaher EMaher marked this pull request as ready for review July 1, 2026 03:49
@EMaher EMaher changed the title Handle JWT bearer tokens in policy XML redaction Handle secret redaction in policy XML Jul 1, 2026

@petehauge petehauge left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments sent in teams- thanks!

@EMaher EMaher merged commit 967a95c into main Jul 1, 2026
5 checks passed
@EMaher EMaher linked an issue Jul 1, 2026 that may be closed by this pull request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Secrets hardcoded in policy XML are not redacted on extract

3 participants