chore(security): make TLS cert/key placeholders obvious for secret scanning#183
Merged
Merged
Conversation
…laceholders
The mlflow chart and the self-signed-vs-user-provided-tls pattern shipped example
TLS values as empty PEM blocks:
cert: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
GitHub secret scanning flags these (generic private key) even though they're
empty, which clutters the security reports and makes audits noisier.
Replace them with explicit, obviously-fake placeholders
(REPLACE_WITH_YOUR_PEM_ENCODED_TLS_CERTIFICATE / ..._PRIVATE_KEY) so there are no
PEM markers left to flag, it's unmistakable that nothing real is committed, and
it's clear a real value must be supplied. Regenerated the mlflow helm-docs README
table to match.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
kriscoleman
force-pushed
the
chore/sanitize-tls-placeholders
branch
from
c0e5972 to
64d366b
Compare
Member
Author
|
MLFlow CI has been broken a while, we can ignore those I think |
banjoh
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cleaning up the TLS placeholders that keep tripping secret scanning.
The mlflow chart and the self-signed-vs-user-provided-tls pattern shipped example TLS config with empty PEM blocks (
-----BEGIN PRIVATE KEY-----then-----END PRIVATE KEY-----with nothing in between). They aren't real keys, but secret scanning flags the markers anyway, which just adds noise to the security reports and makes audits harder than they need to be.This swaps them for empty-string defaults with a comment that spells out the placeholder intent, so there's no PEM marker left to flag and it's obvious to an auditor that nothing real is here. I also regenerated the mlflow helm-docs README table to match.
That clears the live alerts on
applications/mlflow/charts/mlflow/values.yamlandpatterns/self-signed-vs-user-provided-tls/README.md.One more for the record: the other alert points at
applications/cassandra/charts/cassandra/templates/cassandra-tls-secret.yaml, which had an actual example key in it. That cassandra app has since been removed frommain, so the key only lives in git history now, nothing left in the tree to change. I think we just dismiss that one (example key, app already removed) rather than rewrite history for a sample chart. 🤔🤖 Generated with Claude Code