Skip to content

fix: remove static secret and access keys#828

Open
CallMeLeopoldo wants to merge 1 commit intomasterfrom
ls/remove-secret-keys
Open

fix: remove static secret and access keys#828
CallMeLeopoldo wants to merge 1 commit intomasterfrom
ls/remove-secret-keys

Conversation

@CallMeLeopoldo
Copy link
Contributor

@CallMeLeopoldo CallMeLeopoldo commented Mar 19, 2026

No description provided.

@codacy-production
Copy link

codacy-production bot commented Mar 19, 2026

Codacy's Analysis Summary

0 new issues (≤ 1 medium issue)
0 new security issues (≤ 0 minor issues)
More details

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

codacy-production[bot]
codacy-production bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@codacy-production codacy-production bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR successfully removes the static Minio accessKey and secretKey. However, the security hardening is incomplete as hardcoded passwords for RabbitMQ and PostgreSQL remain with default values. Furthermore, the PR description is empty, which provides no context on how the application is expected to authenticate with Minio moving forward (e.g., via IAM roles or environment variables). Verification of the fallback mechanism is required to ensure connectivity is not broken.

About this PR

  • The PR represents a partial implementation of the apparent security goal. While Minio keys are removed, several other static credentials remain in the file (e.g., RabbitMQ and PostgreSQL passwords), which should also be externalized for a consistent security posture.
  • The PR description is empty. Please provide context on how the application is expected to authenticate with Minio once these static keys are removed (e.g., AWS IAM roles, environment variables) to ensure the configuration is complete.
1 comment outside of the diff
codacy/values.yaml

line 142-154 🟡 MEDIUM RISK
Suggestion: While removing the S3 keys is a good security improvement, static credentials for RabbitMQ (line 142) and PostgreSQL (line 154) remain hardcoded with default values. To maintain consistency and improve the security posture, these should be refactored to use Kubernetes secrets.

Try running the following prompt in your IDE agent:

Refactor the rabbitmqPassword and postgresqlPassword fields in codacy/values.yaml to be provided via secrets rather than hardcoded strings, following the pattern of the cryptoSecret field.

Test suggestions

  • Verify that the application successfully falls back to alternative credential providers (e.g., IAM roles or environment variables) when these keys are absent.
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Verify that the application successfully falls back to alternative credential providers (e.g., IAM roles or environment variables) when these keys are absent.

🗒️ Improve review quality by adding custom instructions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CallMeLeopoldo