[Main] [STRATCONN-6227] Update documentation and review guidelines to check for type:password #3360
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enhances security documentation and review processes by adding comprehensive guidance for properly marking sensitive fields with type: 'password' across the Action Destinations codebase. This ensures credentials and secrets are properly secured in Segment's infrastructure and excluded from git sync operations.
Key changes:
- Added extensive documentation explaining when and why to use
type: 'password'for sensitive fields - Enhanced PR review guidelines to include security checks for proper password field usage
- Updated the PR template with a security review checklist
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Added comprehensive "Password and Secret Fields" section with implementation examples, security rationale, and integration details |
| CONTRIBUTING.md | Added security review checklist for GA releases, emphasizing proper password field configuration |
| .github/copilot-instructions.md | Enhanced code review guidelines to include security and secret detection checks |
| .github/PULL_REQUEST_TEMPLATE.md | Added security review section with checklist for verifying proper handling of sensitive fields |
|
|
||
| When working with sensitive data such as API keys, tokens, passwords, or other credentials, it's critical to properly mark these fields with `type: 'password'`. This ensures proper security handling across Segment's infrastructure, including: | ||
|
|
||
| - **UI Security**: Fields are automatically obfuscated in the Segment App interface |
There was a problem hiding this comment.
And also public api security
|
|
||
| 2. **Configuration Management**: Password fields receive special handling in Segment's configuration APIs and admin interfaces. | ||
|
|
||
| 3. **Security Auditing**: Enables Segment to provide proper audit trails and compliance reporting for sensitive configuration changes. |
There was a problem hiding this comment.
I am not sure if we have this
|
|
||
| - name: Get changed files | ||
| id: changed_files | ||
| uses: tj-actions/changed-files@v45 |
There was a problem hiding this comment.
This action was subject to supply chain attack recently. Anyway we can avoid dependency?
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
In this PR, updated documentation and review guidelines to check for type: password
Jira: https://twilio-engineering.atlassian.net/browse/STRATCONN-6227
A summary of your pull request, including the what change you're making and why.
Testing
Include any additional information about the testing you have completed to
ensure your changes behave as expected. For a speedy review, please check
any of the tasks you completed below during your testing.