Skip to content

fix: harden unity-cli credential examples (Snyk W007)#21

Merged
andresbayon merged 2 commits into
mainfrom
unity-cli/harden-credential-examples
Jul 2, 2026
Merged

fix: harden unity-cli credential examples (Snyk W007)#21
andresbayon merged 2 commits into
mainfrom
unity-cli/harden-credential-examples

Conversation

@andresbayon

Copy link
Copy Markdown
Collaborator

What

Removes the runnable command examples in unity-cli/SKILL.md that place secrets directly on the command line, which the Snyk W007 ("insecure credential handling") audit flagged. All real flags stay documented so an agent still knows they exist — only the copy-pasteable insecure demonstrations are removed.

Changes

Spot Before After
CI service-account auth ("Equivalent to") unity auth login --client-id <id> --client-secret <secret> --client-id <id> --secret-from-stdin
auth login block runnable --client-secret <secret> command labelled anti-pattern note pointing to --secret-from-stdin / UNITY_SERVICE_ACCOUNT_* env vars
config proxy runnable http://user:secret@proxy.example.com:8080 prose noting embedded userinfo is supported/redacted, but prefer the OS keyring lookup
Android keystore generic "prefer CI secret stores" warning explicit: supply --android-keystore-* from CI secret env vars (e.g. "$KEYSTORE_PASSWORD"), never inline literals

Net +9 / −6 lines.

Why this is low-risk

The secure alternatives (--secret-from-stdin, --git-token-stdin, UNITY_SERVICE_ACCOUNT_ID/_SECRET env vars) were already the documented defaults throughout the skill — every --git-token example already used --git-token-stdin. This change just removes the insecure demonstrations the audit flagged and reframes them as anti-patterns.

🤖 Generated with Claude Code

Remove runnable command examples that place secrets on the command
line, while keeping the real flags documented:

- CI auth "Equivalent to" now uses --secret-from-stdin, not --client-secret
- Drop the copy-pasteable --client-secret <secret> command (kept as a
  labelled anti-pattern note pointing to stdin / env-var auth)
- Replace the http://user:secret@host proxy example with prose that
  points to the OS keyring lookup
- Strengthen the Android keystore warning to require CI secret env vars
  (e.g. "$KEYSTORE_PASSWORD"), never inline literals

The secure alternatives (--secret-from-stdin, --git-token-stdin,
UNITY_SERVICE_ACCOUNT_* env vars) were already the documented defaults;
this removes the insecure demonstrations the audit flagged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@andresbayon andresbayon requested a review from a team as a code owner July 1, 2026 14:02
Copilot AI review requested due to automatic review settings July 1, 2026 14:02

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the unity-cli skill documentation to remove (or de-emphasize) copy/pasteable examples that place credentials directly on the command line, addressing Snyk W007 insecure credential handling findings while keeping secure alternatives documented.

Changes:

  • Updates CI service-account auth guidance to point to --secret-from-stdin instead of --client-secret <secret>.
  • Replaces insecure auth login and proxy credential examples with anti-pattern warnings and safer guidance.
  • Expands Android keystore guidance to discourage inline literals and steer users toward CI secret sources.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread skills/unity-cli/SKILL.md Outdated
Comment thread skills/unity-cli/SKILL.md Outdated
Comment thread skills/unity-cli/SKILL.md Outdated
clm2609
clm2609 previously approved these changes Jul 2, 2026
- Drop misleading "Equivalent to" claim for CI env-var auth; clarify it
  maps to auth login flags but isn't a full login (no keyring persist)
- Reference --client-secret flag without the copy-pasteable <secret>
  placeholder
- Clarify keystore env vars avoid hard-coding literals but the expanded
  value still appears in argv; mask in CI logs

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@andresbayon andresbayon enabled auto-merge (squash) July 2, 2026 14:52
@andresbayon andresbayon merged commit e06b9ce into main Jul 2, 2026
4 checks passed
@andresbayon andresbayon deleted the unity-cli/harden-credential-examples branch July 2, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants