Upcoming Security Enhancement: Secret Detection for Extensions #1383
Replies: 10 comments 15 replies
-
|
It might be useful to exclude a number of well-known test keys part of existing node_modules. Many node modules include a test project and some security modules include test keys. Modifying the node_modules folder post-install isn't ideal. Example projects:
See also: |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the feedback. Based on the data that we’ve analyzed so far and the feedback that we’ve gotten, we are disabling some of the rules (e.g. PemPrivateKey) since they are producing too many false positives. We will analyze these further. |
Beta Was this translation helpful? Give feedback.
-
|
It would be nice to be able to run the same set of rules from our own CI / build processes prior to publishing (or being rejected by the VS Code Marketplace in the future). Can you provide guidance on how to do that? |
Beta Was this translation helpful? Give feedback.
-
|
Updating node_modules not at all a correct way I think, because I have received a warning to remove |
Beta Was this translation helpful? Give feedback.
-
|
Hi. |
Beta Was this translation helpful? Give feedback.
-
|
Nice feature. |
Beta Was this translation helpful? Give feedback.
-
|
2 days ago, we received another notification re:
We had already fixed the issue 2 weeks ago, but the notification is for an older version. Is this is a bug with the detection mechanism? Shouldn't it be testing against the latest version of the extension? |
Beta Was this translation helpful? Give feedback.
-
|
Any comments regarding embedding connection string into extension, to make telemetry-module working? |
Beta Was this translation helpful? Give feedback.
-
|
Secret prevention is now in Blocking mode: #1442 |
Beta Was this translation helpful? Give feedback.
-
|
I'm confused, is publishing a new version with the secret removed sufficient to keep our extension from being taken offline? I got a notice for one of my packages, ironically the secret was an NPM_TOKEN
I really don't know why this directory was included since I have |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
We’re introducing a new security mechanism to help protect the Visual Studio Marketplace ecosystem.
Soon, we’ll begin scanning for and preventing the publishing of extensions that contain embedded secrets (such as Azure DevOps PAT tokens, other API keys or credentials).
This proactive measure is designed to reduce the risk of compromised extensions and protect both publishers and users.
In addition to blocking new uploads with secrets, we will also be actively cleaning up existing cases to ensure a safer environment for everyone.
If you encounter any issues once this system is in place, please log an issue or reach out to our support team for assistance.
For more details on our security efforts and what this means for you, please visit our https://aka.ms/vsmsecurityblog.
Beta Was this translation helpful? Give feedback.
All reactions