github-advanced-security[bot] commented on code in PR #39177:
URL: https://github.com/apache/beam/pull/39177#discussion_r3501437875
##########
infra/enforcement/account_keys.py:
##########
@@ -405,23 +405,44 @@
"""
if not self.sending_client:
raise ValueError("SendingClient is required for printing
announcements")
-
+
diff = self.check_compliance()
if not diff:
self.logger.info("No compliance issues found, no announcement will
be printed.")
return
- title = f"Account Keys Compliance Issue Detected"
- body = f"Account keys for project {self.project_id} are not compliant
with the defined policies on {self.service_account_keys_file}\n\n"
- for issue in diff:
- body += f"- {issue}\n"
+ unmanaged_keys_issues = [issue for issue in diff if "SECURITY ALERT"
in issue]
+ general_issues = [issue for issue in diff if "SECURITY ALERT" not in
issue]
+
+ if general_issues:
+ self.logger.info("Printing general compliance announcement...")
+ title = f"[SECURITY] Action Required: Unauthorized Service
Accounts Detected"
+ body = f"Unauthorized Service Accounts Report\n\n"
+ body += f"Account keys for project {self.project_id} are not
compliant with the defined policies on {self.service_account_keys_file}\n\n"
+ for issue in general_issues:
+ body += f"- {issue}\n"
+
+ announcement = f"Dear team,\n\nThis is an automated notification
about compliance issues detected in the Account Keys policy for project
{self.project_id}.\n\n"
+ announcement += f"We found {len(general_issues)} compliance
issue(s) that need your attention.\n"
+ announcement += f"\nPlease check the GitHub issue for detailed
information and take appropriate action to resolve these compliance violations."
- announcement = f"Dear team,\n\nThis is an automated notification about
compliance issues detected in the Account Keys policy for project
{self.project_id}.\n\n"
- announcement += f"We found {len(diff)} compliance issue(s) that need
your attention.\n"
- announcement += f"\nPlease check the GitHub issue for detailed
information and take appropriate action to resolve these compliance violations."
+ self.sending_client.print_announcement(title, body, recipient,
announcement)
- self.sending_client.print_announcement(title, body, recipient,
announcement)
+ if unmanaged_keys_issues:
+ self.logger.info("Printing security dashboard update for unmanaged
keys...")
+ timestamp =
datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
+ print("\n" + "="*60)
+ print("SIMULATING GITHUB SECURITY ISSUE CREATION/UPDATE")
+ print("="*60)
+ print("Title: [SECURITY] Action Required: Unmanaged Service
Account Keys Detected\n")
+ print(f"Body:\n### Unmanaged Keys Audit Report ({timestamp})")
+ print(f"The following unauthorized or unmanaged keys were detected
in `{self.project_id}`:\n")
+ for issue in unmanaged_keys_issues:
+ print(f"- {issue}")
Review Comment:
## CodeQL / Clear-text logging of sensitive information
This expression logs [sensitive data (secret)](1) as clear text.
This expression logs [sensitive data (secret)](2) as clear text.
This expression logs [sensitive data (secret)](3) as clear text.
[Show more
details](https://github.com/apache/beam/security/code-scanning/1801)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]