Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Instead of the addition of Tilt, would it make more sense to reduce the amount of "public" ports we expose by default? I think most of them like pg and stripe don't need to be host-facing. |
|
@miketheman yeah we could remove these from the docker-compose and just let them talk overt docker network i guess. we could also do both, as tilt gives us some dev/prod parity which is why i like it for python.org and other apps i'm working on |
|
|
||
| env_count = len(app_config.get("env", {})) | ||
| secrets_count = len(app_config.get("secrets", {})) | ||
| print(f" Synced {env_count} env vars, {secrets_count} secrets") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, to fix clear-text logging of sensitive information, avoid sending any data derived from secrets (even metadata like counts, names, or partial values) to logs. If progress needs to be logged, restrict it to non-secret information or to fixed, non–data-dependent messages.
Here, the specific issue is that secrets_count = len(app_config.get("secrets", {})) is then interpolated into a log line. The simplest fix without changing functionality is to stop including the secret-derived count in the log message while still logging the env var count, or to remove the line entirely. The functional behavior of the script (creating/updating configs and committing them) does not depend on this log line; it is purely informational.
Best minimal change in scripts/bootstrap_cabotage.py:
- Keep computation of
env_countif we still want to log it. - Either:
- Keep
secrets_countfor internal use but do not log it, or - Remove
secrets_countentirely (since it’s only used for logging).
- Keep
- Change the log line to avoid interpolating
secrets_countand instead use a generic message like" Synced environment and secrets configuration"or a format that only mentions the env var count, e.g.," Synced {env_count} env vars and secrets"(no count for secrets).
Since secrets_count is not used anywhere else, the cleanest fix is to remove it and update the print accordingly. No new imports or helper methods are required.
Concretely:
- Around lines 362–365, remove the assignment to
secrets_countand change theprintso that it does not include{secrets_count}. Everything else in the file remains unchanged.
| @@ -360,8 +360,7 @@ | ||
| db.session.add(config) | ||
|
|
||
| env_count = len(app_config.get("env", {})) | ||
| secrets_count = len(app_config.get("secrets", {})) | ||
| print(f" Synced {env_count} env vars, {secrets_count} secrets") | ||
| print(f" Synced {env_count} env vars and secrets configuration") | ||
|
|
||
| db.session.commit() | ||
| print("\nBootstrap complete!") |
2 participants
I find myself needing multiple services when working across projects and ports almost always conflict (i.e., working on warehouse + pycon-site + pycon check in + python.org) whether that be conflicting on the web service, database, or otherwise.
In comes Tilt, which allows us to more accurately reflect production deployments and avoid this port conflict
When bootstrapped with a local cabotage instance it will generate a URL based on ingress IP. I'm using nip.io (https://sslip.io/) to help with some DNS issues. (but maybe it's not needed)