Skip to content

{Containerapp} Fix Credential Scanner failed#32274

Merged
bebound merged 2 commits intoAzure:devfrom
Greedygre:xinyu/20251017_fix_credential
Oct 28, 2025
Merged

{Containerapp} Fix Credential Scanner failed#32274
bebound merged 2 commits intoAzure:devfrom
Greedygre:xinyu/20251017_fix_credential

Conversation

@Greedygre
Copy link
Copy Markdown
Contributor

@Greedygre Greedygre commented Oct 17, 2025

Related command

Description

Testing Guide

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change
[Component Name 2] az command b: Add some customer-facing feature

This checklist is used to make sure that common guidelines for a pull request are followed.

Copilot AI review requested due to automatic review settings October 17, 2025 07:36
@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Oct 17, 2025
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Oct 17, 2025
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@github-actions
Copy link
Copy Markdown

github-actions bot commented Oct 17, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Oct 17, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@Greedygre Greedygre mentioned this pull request Oct 17, 2025
Merged
3 tasks
@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Oct 17, 2025
Copilot AI reviewed Oct 17, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a Credential Scanner security issue by replacing potentially sensitive authentication keys in test recording files with placeholder values.

  • Replaces actual sharedKey values in test recordings with a sanitized placeholder "abc123"
  • Maintains consistent formatting across all test recording files
  • Ensures test recordings don't contain real credentials that could trigger security scanners

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
test_containerapp_up_source_with_dockerfile_e2e.yaml Replaced shared key with placeholder value
test_containerapp_up_image_e2e.yaml Replaced shared key with placeholder value
test_containerapp_tcp_ingress.yaml Replaced shared key with placeholder value
test_containerapp_get_customdomainverificationid_e2e.yaml Replaced shared key with placeholder value
test_containerapp_env_update_custom_domains.yaml Replaced shared key with placeholder value
test_containerapp_env_p2p_traffic_encryption.yaml Replaced shared key with placeholder value
test_containerapp_env_mtls.yaml Replaced shared key with placeholder value
test_containerapp_env_logs_e2e.yaml Replaced shared key with placeholder value
test_containerapp_env_internal_only_e2e.yaml Replaced shared key with placeholder value
test_containerapp_env_e2e.yaml Replaced shared key with placeholder value
test_containerapp_env_custom_domains.yaml Replaced shared key with placeholder value
test_containerapp_env_certificate_e2e.yaml Replaced shared key with placeholder value
test_containerapp_custom_domains_e2e.yaml Replaced shared key with placeholder value
test_containerapp_create_with_vnet_yaml.yaml Replaced shared key with placeholder value
test_containerapp_create_with_environment_id.yaml Replaced shared key with placeholder value
test_containerapp_compose_create_environment_to_target_location.yaml Replaced shared key with placeholder value
test_container_app_mount_secret_update_e2e.yaml Replaced shared key with placeholder value
test_container_app_mount_secret_e2e.yaml Replaced shared key with placeholder value
test_container_app_mount_azurefile_e2e.yaml Replaced shared key with placeholder value
Comments suppressed due to low confidence (16)

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread ...es/containerapp/tests/latest/recordings/test_containerapp_up_source_with_dockerfile_e2e.yaml
Comment thread ...cli/command_modules/containerapp/tests/latest/recordings/test_containerapp_up_image_e2e.yaml
Comment thread ...ntainerapp/tests/latest/recordings/test_containerapp_get_customdomainverificationid_e2e.yaml
Comment thread ...tests/latest/recordings/test_containerapp_compose_create_environment_to_target_location.yaml
Comment thread ...modules/containerapp/tests/latest/recordings/test_container_app_mount_secret_update_e2e.yaml
Comment thread ...ommand_modules/containerapp/tests/latest/recordings/test_container_app_mount_secret_e2e.yaml
Comment thread ...and_modules/containerapp/tests/latest/recordings/test_container_app_mount_azurefile_e2e.yaml
@Greedygre
Copy link
Copy Markdown
Contributor Author

Greedygre commented Oct 17, 2025

Seems the CI failed not related to this PR's change:

  File "/opt/hostedtoolcache/Python/3.12.11/x64/lib/python3.12/site-packages/azure/cli/command_modules/batch/custom.py", line 22, in <module>
    from azure.batch.models import (AffinityInfo, BatchPoolResizeContent, BatchStartTask, BatchTaskConstraints, BatchTask,
ImportError: cannot import name 'AffinityInfo' from 'azure.batch.models' (/opt/hostedtoolcache/Python/3.12.11/x64/lib/python3.12/site-packages/azure/batch/models/__init__.py). Did you mean: 'BatchAffinityInfo'?

@jiasli
Copy link
Copy Markdown
Member

jiasli commented Oct 20, 2025

We definitely need a replacer to do this. Otherwise, rerunning these tests will generate valid sharedKeys again.

@Greedygre
Copy link
Copy Markdown
Contributor Author

Greedygre commented Oct 20, 2025

We definitely need a replacer to do this. Otherwise, rerunning these tests will generate valid sharedKeys again.

Hi @jiasli
Do you know

  1. why this Credential failed didn't failed in PR CI and block PR merge?
  2. why azdev scan didn't scan these secrets?

@Greedygre
Copy link
Copy Markdown
Contributor Author

Greedygre commented Oct 20, 2025

/azp run

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Oct 20, 2025

Azure Pipelines successfully started running 3 pipeline(s).

evelyn-ys
evelyn-ys requested changes Oct 20, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@evelyn-ys evelyn-ys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of manually replacing keys, can you implementing a test recording replacer to automatically do that?

@bebound
Copy link
Copy Markdown
Contributor

bebound commented Oct 20, 2025

Instead of manually replacing keys, can you implementing a test recording replacer to automatically do that?

Yes, we need a permanent solution for this. We fixed the same issue before in #32232

@bebound
Copy link
Copy Markdown
Contributor

bebound commented Oct 23, 2025

Next Tuesday is the code freeze. To unblock the release, shall we merge this PR first? @evelyn-ys

@Greedygre will create another PR to add the replacer.

@bebound bebound merged commit c62f56b into Azure:dev Oct 28, 2025
48 checks passed
@bebound
Copy link
Copy Markdown
Contributor

bebound commented Oct 28, 2025

There a new format of credential fixed in #32340

string: '{"primarySharedKey":"abc123","secondarySharedKey":"abc123"}'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@zhoxing-ms zhoxing-ms zhoxing-ms approved these changes

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd is a code owner

@howang-ms howang-ms Awaiting requested review from howang-ms howang-ms is a code owner

@Juliehzl Juliehzl Awaiting requested review from Juliehzl Juliehzl is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

@jsntcy jsntcy Awaiting requested review from jsntcy

@ruslany ruslany Awaiting requested review from ruslany

@sanchitmehta sanchitmehta Awaiting requested review from sanchitmehta

@ebencarek ebencarek Awaiting requested review from ebencarek

@JennyLawrance JennyLawrance Awaiting requested review from JennyLawrance

@vinisoto vinisoto Awaiting requested review from vinisoto

@chinadragon0515 chinadragon0515 Awaiting requested review from chinadragon0515

@vturecek vturecek Awaiting requested review from vturecek

@torosent torosent Awaiting requested review from torosent

@pagariyaalok pagariyaalok Awaiting requested review from pagariyaalok

@jijohn14 jijohn14 Awaiting requested review from jijohn14

Assignees

@zhoxing-ms zhoxing-ms

Labels

Auto-Assign Auto assign by bot ContainerApp

Projects

None yet

Milestone

November 2025 (2025-11-04)

Development

Successfully merging this pull request may close these issues.

8 participants

@Greedygre @yonzhan @jiasli @bebound @evelyn-ys @zhoxing-ms @xinyululala