robojerk/codeql-action

Register credentials extracted from proxy configuration as secrets to mask in logs

Browse source
This commit is contained in:
Michael B. Gale 2025-06-12 12:59:02 +01:00
parent 466d6ce584
commit bbab10229f
No known key found for this signature in database
GPG key ID: FF5E2765BD00628F
3 changed files with 52 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/start-proxy.ts
View file

@ -1,3 +1,5 @@
import * as core from "@actions/core";
import { parseLanguage, Language } from "./languages";
import { Logger } from "./logging";
import { ConfigurationError } from "./util";
@ -63,6 +65,14 @@ export function getCredentials(
const out: Credential[] = [];
for (const e of parsed) {
// Mask credentials to reduce chance of accidental leakage in logs.
if (e.password !== undefined) {
core.setSecret(e.password);
}
if (e.token !== undefined) {
core.setSecret(e.token);
}
if (e.url === undefined && e.host === undefined) {
// The proxy needs one of these to work. If both are defined, the url has the precedence.
throw new ConfigurationError(