Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sentry token in repository via sentry.properties

While my DSN is in a .env file and hidden from the repo browsers, I find it disturbing that my auth token is in the sentry.properties file for all to see.
I'm having trouble understanding what this means and how much of a security risk is it to let people outside my organization read this file?
(I have outsourced developers doing odd jobs for me on the repo)

like image 679
Jonathan Oron Avatar asked Jan 21 '18 15:01

Jonathan Oron


2 Answers

We recommend treating a sentry.properties like an .env file.

It is basically the same, so you should add it to your e.g. .gitignore.

The reason why it's called sentry.properties is because of android gradle, we needed it to be read natively.

like image 185
HazA Avatar answered Sep 18 '22 09:09

HazA


Alternatively to the sentry.properties file, the cli can be configured using environment variables as the docs says:

  • https://docs.sentry.io/product/cli/configuration/#configuration-values
  • https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-sentry-cli
Property name Environment variable
defaults.url SENTRY_URL
defaults.org SENTRY_ORG
defaults.project SENTRY_PROJECT
auth.token SENTRY_AUTH_TOKEN

The environment variables will take precedence over values set in the properties file

In this way you can set the static fields in sentry.properties like url, org, project and pass as Env only the SENTRY_AUTH_TOKEN in CI mode

like image 45
kachar Avatar answered Sep 22 '22 09:09

kachar