github-advanced-security[bot] commented on code in PR #39177:
URL: https://github.com/apache/beam/pull/39177#discussion_r3501437875


##########
infra/enforcement/account_keys.py:
##########
@@ -405,23 +405,44 @@
         """
         if not self.sending_client:
             raise ValueError("SendingClient is required for printing 
announcements")
-            
+
         diff = self.check_compliance()
 
         if not diff:
             self.logger.info("No compliance issues found, no announcement will 
be printed.")
             return
 
-        title = f"Account Keys Compliance Issue Detected"
-        body = f"Account keys for project {self.project_id} are not compliant 
with the defined policies on {self.service_account_keys_file}\n\n"
-        for issue in diff:
-            body += f"- {issue}\n"
+        unmanaged_keys_issues = [issue for issue in diff if "SECURITY ALERT" 
in issue]
+        general_issues = [issue for issue in diff if "SECURITY ALERT" not in 
issue]
+
+        if general_issues:
+            self.logger.info("Printing general compliance announcement...")
+            title = f"[SECURITY] Action Required: Unauthorized Service 
Accounts Detected"
+            body = f"Unauthorized Service Accounts Report\n\n"
+            body += f"Account keys for project {self.project_id} are not 
compliant with the defined policies on {self.service_account_keys_file}\n\n"
+            for issue in general_issues:
+                body += f"- {issue}\n"
+
+            announcement = f"Dear team,\n\nThis is an automated notification 
about compliance issues detected in the Account Keys policy for project 
{self.project_id}.\n\n"
+            announcement += f"We found {len(general_issues)} compliance 
issue(s) that need your attention.\n"
+            announcement += f"\nPlease check the GitHub issue for detailed 
information and take appropriate action to resolve these compliance violations."
 
-        announcement = f"Dear team,\n\nThis is an automated notification about 
compliance issues detected in the Account Keys policy for project 
{self.project_id}.\n\n"
-        announcement += f"We found {len(diff)} compliance issue(s) that need 
your attention.\n"
-        announcement += f"\nPlease check the GitHub issue for detailed 
information and take appropriate action to resolve these compliance violations."
+            self.sending_client.print_announcement(title, body, recipient, 
announcement)
 
-        self.sending_client.print_announcement(title, body, recipient, 
announcement)
+        if unmanaged_keys_issues:
+            self.logger.info("Printing security dashboard update for unmanaged 
keys...")
+            timestamp = 
datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
+            print("\n" + "="*60)
+            print("SIMULATING GITHUB SECURITY ISSUE CREATION/UPDATE")
+            print("="*60)
+            print("Title: [SECURITY] Action Required: Unmanaged Service 
Account Keys Detected\n")
+            print(f"Body:\n### Unmanaged Keys Audit Report ({timestamp})")
+            print(f"The following unauthorized or unmanaged keys were detected 
in `{self.project_id}`:\n")
+            for issue in unmanaged_keys_issues:
+                print(f"- {issue}")

Review Comment:
   ## CodeQL / Clear-text logging of sensitive information
   
   This expression logs [sensitive data (secret)](1) as clear text.
   This expression logs [sensitive data (secret)](2) as clear text.
   This expression logs [sensitive data (secret)](3) as clear text.
   
   [Show more 
details](https://github.com/apache/beam/security/code-scanning/1801)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to