Skip to content

Secure coding improvements, pr number 1#391

Open
TomasTomecek wants to merge 4 commits intopackit:mainfrom
TomasTomecek:secure-coding-1
Open

Secure coding improvements, pr number 1#391
TomasTomecek wants to merge 4 commits intopackit:mainfrom
TomasTomecek:secure-coding-1

Conversation

@TomasTomecek
Copy link
Member

@TomasTomecek TomasTomecek commented Mar 19, 2026

I will send more with followup PRs. There were even more changes here but decided to split/cut them because I didn't like Claude's proposals.

Claude's detailed overview:

2. Add credential redaction to MCP gateway logs (HIGH)

Files: mcp_server/gateway.py, mcp_server/tests/unit/test_gateway.py

Added _redact() function with regex patterns matching common credential formats:

  • GitLab PATs (glpat-...)
  • Anthropic API keys (sk-ant-...)
  • Google API keys (AIzaSy...)
  • OAuth2 tokens in URLs (oauth2:...@)
  • Generic long tokens (20+ chars with keywords like token/key/password)

The log_tool_call decorator now redacts all tool arguments and error messages before logging.

Test coverage: 20 unit tests covering pattern matching, edge cases, and real-world scenarios.

3. Add LITELLM_DEBUG environment variable guard (HIGH)

Files: agents/utils.py, templates/beeai-agent.env

set_litellm_debug() now checks for LITELLM_DEBUG env var before enabling debug mode. If not set, logs a warning and returns without enabling token-leaking debug output.

Added comprehensive documentation explaining the security risk and usage.

5. Add SecurityContext to K8s deployments (LOW)

Files: openshift/deployment-*.yml (10 files)

Replaced empty securityContext: {} with:

securityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

Matches the pattern already used in cronjob manifests.

@TomasTomecek
guard LITELLM_DEBUG behind an env var
4033efb 
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com>
Assisted-by: Claude
@TomasTomecek
redact possible api token prints from logs
b896188 
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com>
Assisted-by: Claude
@TomasTomecek
openshift hardening: set securityContext
57c60a4 
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com>
Assisted-by: Claude
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly enhances application security by implementing credential redaction in logs and strengthening Kubernetes deployment configurations. Specifically, a new _redact utility and associated regex patterns were introduced in mcp_server/gateway.py to prevent sensitive data like API keys and tokens from appearing in log outputs, with comprehensive unit tests added for validation. The set_litellm_debug function was updated to prevent token leakage by requiring an explicit environment variable for debug logging and adding a clear warning. Furthermore, all Kubernetes deployment files were updated to enforce runAsNonRoot: true and apply a default seccompProfile for improved runtime security. A review comment suggested making the _REDACT_PATTERNS a frozenset to ensure its immutability.

@TomasTomecek @gemini-code-assist
Update mcp_server/gateway.py
5289208 
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lbarcziova lbarcziova lbarcziova approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TomasTomecek @lbarcziova