Skip to content

Security hardening: #526

Merged
mmckechney merged 1 commit into
masterfrom
mmckechney/security-code-review
Jun 5, 2026
Merged

Security hardening: #526
mmckechney merged 1 commit into
masterfrom
mmckechney/security-code-review

Conversation

@mmckechney

@mmckechney mmckechney commented Jun 5, 2026

Copy link
Copy Markdown
Owner
  • log secret redaction
  • stronger settings crypto
  • secure-by-default TLS

Phase 1+2 - Centralized secret redaction in logs:

  • Promote ConnectionStringRedactor to public with MaskKey/MaskPassword/RedactConnectionString
  • Mask keys (first 4 chars + x), passwords (first+last + x), conn-string secrets at all log sites
  • Batch SAS token no longer logged (storage account name only); KeyVault logs exception type/message

Phase 3 - Strengthen settings-file encryption (Cryptography.cs):

  • New authenticated format: version byte + random salt + random IV + ciphertext + HMAC
  • PBKDF2-SHA256 100k iterations, encrypt-then-MAC; legacy read path retained for backward compat

Phase 4 - TLS secure-by-default:

  • New --trustservercertificate/--trustcert flag (default false); certs validated by default
  • Added to settings JSON (AuthenticationArgs) and documented in CHANGELOG/README/commandline.md
  • Process-wide ambient default ConnectionHelper.TrustServerCertificate seeded by the binder; connData carries the operator's intent through the threaded build, validation, and backout paths

Docs: CHANGELOG, README Security section, commandline.md flag reference.

@mmckechney
Security hardening: log secret redaction, stronger settings crypto, s…
171e1a8 
…ecure-by-default TLS

Phase 1+2 - Centralized secret redaction in logs:
- Promote ConnectionStringRedactor to public with MaskKey/MaskPassword/RedactConnectionString
- Mask keys (first 4 chars + x), passwords (first+last + x), conn-string secrets at all log sites
- Batch SAS token no longer logged (storage account name only); KeyVault logs exception type/message

Phase 3 - Strengthen settings-file encryption (Cryptography.cs):
- New authenticated format: version byte + random salt + random IV + ciphertext + HMAC
- PBKDF2-SHA256 100k iterations, encrypt-then-MAC; legacy read path retained for backward compat

Phase 4 - TLS secure-by-default:
- New --trustservercertificate/--trustcert flag (default false); certs validated by default
- Added to settings JSON (AuthenticationArgs) and documented in CHANGELOG/README/commandline.md
- Process-wide ambient default ConnectionHelper.TrustServerCertificate seeded by the binder;
  connData carries the operator's intent through the threaded build, validation, and backout paths

Docs: CHANGELOG, README Security section, commandline.md flag reference.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 5, 2026
View reviewed changes
Comment thread src/SqlBuildManager.Console/CloudStorage/StorageManager.cs Dismissed
Comment thread src/SqlBuildManager.Console/KeyVault/KeyVaultHelper.cs Dismissed
Comment thread src/SqlBuildManager.Console/Kubernetes/KubernetesManager.cs Dismissed
Comment thread src/SqlBuildManager.Console/Kubernetes/KubernetesManager.cs Dismissed
Comment thread src/SqlBuildManager.Console/Kubernetes/KubernetesManager.cs Dismissed
@mmckechney mmckechney merged commit 0612be1 into master Jun 5, 2026
5 checks passed
@mmckechney mmckechney deleted the mmckechney/security-code-review branch June 5, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mmckechney @github-advanced-security