New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Treat API key as secret and store them securely #532
Comments
As already stated in DependencyTrack/dependency-track#2552 the API keys should definitely treated more securely. They should be generated for user accounts, not for teams. Having api keys for teams seems to me like a wrong architectural decision. An API key should belong to a single user. This is helpful for auditing actions in Dependency Track. A user shoud be able to generate an API key for himself. There could be technical accounts like CI users that only have API keys and no password at all. Hence loging in on the gui with a technical account would not be possible. |
I see your point but would disagree here. It would drastically increase the effort if I needed a special account (managed by our IT in Active Directory) for each team. With many teams I would have to request from our IT an account every time a new project is set up. Since the team is unable to gain access to the Key by themselves, I don't see a problem. Ideally it would be visible which API key is used to do an action in the logs, and naming the API keys would be helpful too. But then I see no further benefit from using a separate user. |
In order to use tools such as the Dependency Track in a regulated environment like a financial institute , it is essential that actions can be assigned to a single, specific user. How useful is an audit trail (see Dependency Track) if it says that someone from a team of 50 people has signed a vulnerability as a false positive? It is practically useless. |
What if it says the API key named "build server" of team X has done it?. I agree with the plaintext keys, thats my original request. |
So your workflow would be
|
Almost, Maybe an administrator could create this ci-user as a technical user without password, generate an api key and stores this key in the configuration of the CI-server. The api key should only be visible to the administrator once he created it. |
You just can't enforce non repudiation, if api keys are generated for teams. |
Team API keys should be treated as a secret and not stored in plaintext, instead stored as and compared against the hash. They should not be available on UI like currently in Dependency-Track, except once when generating them. Instead they should get a name and only the name be displayed in UI, to allow identify & delete them.
The text was updated successfully, but these errors were encountered: