Skip to content

{CI} Suppress false positives in Credential Scanner #32669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
necusjz merged 1 commit into from
Jan 19, 2026
Merged

{CI} Suppress false positives in Credential Scanner #32669

necusjz merged 1 commit into from
Jan 19, 2026
+12 −0

Conversation

@necusjz
Copy link
Member

@necusjz necusjz commented Jan 19, 2026

Related command

Description

from https://dev.azure.com/azclitools/public/_build/results?buildId=291659&view=logs&jobId=9a50307c-53e6-51fa-ddad-d8767a4a0ece&j=9a50307c-53e6-51fa-ddad-d8767a4a0ece&t=51a28232-c495-58b8-0a15-8a556d230675:

Guardian is searching for results that meet the given criteria to break the build.
Results Query Summary:
  Tool Filters (Include): credscan:Error
  Baselines: default
  Suppression Sets: default
  Policy: Microsoft
##[error]1. Credential Scanner Error CSCAN-GENERAL0030 - File: src/azure-cli/azure/cli/command_modules/postgresql/flexible_server_custom_postgres.py:src/azure-cli/azure/cli/command_modules/postgresql/flexible_server_custom_postgres.py. Line: 211. Column 3. 
Signature: 500798caa6165dfacdaddc634a0609a2c71f87c333a39399dd4932fd6ba81d1a
Tool: Credential Scanner: Rule: CSCAN-GENERAL0030 (User Login Credentials). https://aka.ms/credscan
A potential secret was detected in 'flexible_server_custom_postgres.py':(CSCAN-GENERAL0030 User Login Credentials) Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan.
##[error]2. Credential Scanner Error CSCAN-GENERAL0060 - File: src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py. Line: 6256. Column 26. 
Signature: 5ad22f4fda85dcc807f8f336b161008c6cb06d0cc93b93283e85562f41721678
Tool: Credential Scanner: Rule: CSCAN-GENERAL0060 (General Password). https://aka.ms/credscan
A potential secret was detected in 'test_network_commands.py':(CSCAN-GENERAL0060 General Password) Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan.
Active results: 2
Skipped results: 0
  Baselined results: 0
  Suppressed results: 0
  Results excluded by tool filters: 0
  Results below minimum severity: 0
  Results classified as Pass: 0
  Results in flight: 0
##[error]Guardian detected one or more breaking results.

##[error]Error: Guardian exited with an error exit code: 8

Both

azure-cli/src/azure-cli/azure/cli/command_modules/postgresql/flexible_server_custom_postgres.py

Line 211 in aeee555

user = server_result.administrator_login if is_password_auth_enabled else '<user>'

and

azure-cli/src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py

Line 6256 in 47cfdec

password="AAAAAAAA",

don't have any secret. They're false positives.

Testing Guide

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change
[Component Name 2] az command b: Add some customer-facing feature

This checklist is used to make sure that common guidelines for a pull request are followed.

@necusjz necusjz self-assigned this Jan 19, 2026
Copilot AI review requested due to automatic review settings January 19, 2026 03:52
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jan 19, 2026
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jan 19, 2026

Hi @necusjz,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jan 19, 2026
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Jan 19, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Jan 19, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot CI CI labels Jan 19, 2026
Copilot AI reviewed Jan 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR suppresses two false positive credential scanner alerts that were blocking CI builds. The credential scanner incorrectly flagged benign code patterns as potential security issues.

Changes:

  • Added suppression for PostgreSQL module's flexible_server_custom_postgres.py which uses placeholder strings like '<user>' and '<password>' in output messages
  • Added suppression for Network module's test file test_network_commands.py which uses a hardcoded test password for certificate generation in tests

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@necusjz necusjz merged commit 77d5d87 into Azure:dev Jan 19, 2026
62 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bebound bebound bebound approved these changes

@wangzelin007 wangzelin007 wangzelin007 approved these changes

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@jiasli jiasli Awaiting requested review from jiasli jiasli is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@jsntcy jsntcy Awaiting requested review from jsntcy

@Pan-Qi Pan-Qi Awaiting requested review from Pan-Qi

Assignees

@necusjz necusjz

@wangzelin007 wangzelin007

Labels

Auto-Assign Auto assign by bot CI CI

Projects

None yet

Milestone

March 2026 (2026-03-03)

Development

Successfully merging this pull request may close these issues.

4 participants

@necusjz @yonzhan @bebound @wangzelin007