Clean up passwords used for local development and unit testing.

[sydseter]

Using .env.example files or replacing visible keys with clearly fake placeholders like DUMMY_KEY_HERE or REPLACE_ME can avoid triggering scanners and still keep things simple for onboarding.

The following need to be replaced with place holder values:

MAS_API_KEY = 8767086b9f6f976g-a8df76
MASTG_API_KEY = 072037ab-1b7b-4b3b-8b7b-1b7b4b3b8b7b
secret_key_base: "LgvNRXYWe539tFQXsMkDuRniXGaiEzTMWUj2GIanun0dlbtV6vPlTGZ/l8qR1V7f"
password: "y9EAY7xeVucjM2yM"

Please make sure it's still possible to run the local tests and start the development environment after the changes.

[Suresh-Krishna-P]

Hello @sydseter ,

I’d like to work on this issue and have outlined a proposed implementation strategy below. I’d appreciate your feedback.

I've analyzed the codebase and identified the hardcoded secrets that need to be replaced with placeholder values to avoid triggering security scanners. Here's the proposed solution:

Proposed Solution

Files to modify:

• copi.owasp.org/config/config.exs (contains secret_key_base)
• copi.owasp.org/config/dev.exs (contains password)
• Any other files containing MAS_API_KEY and MASTG_API_KEY

Replace with placeholder values:

# In config/config.exs
secret_key_base: "DUMMY_SECRET_KEY_BASE_FOR_DEVELOPMENT"

# In config/dev.exs  
password: "DUMMY_DEV_PASSWORD_FOR_LOCAL_DEVELOPMENT"

# For API keys (wherever they are found)
MAS_API_KEY = "DUMMY_MAS_API_KEY"
MASTG_API_KEY = "DUMMY_MASTG_API_KEY"

Rationale:

• Using clear placeholder values like DUMMY_ or REPLACE_ME prevents security scanners from flagging these as exposed secrets
• Maintains the structure needed for local development and testing
• Makes it obvious to developers that these values need to be configured for production
• Follows security best practices by not committing real secrets to the repository

Development Environment:

• Local tests and development environment can continue to work with these placeholder values
• Developers can override these values using environment variables or local configuration files
• Production deployments should use proper secret management systems

This approach balances security scanning requirements with developer convenience and maintains the ability to run tests and start the development environment.

If you’re okay with this approach, I’m happy to open a PR.

[sydseter]

@Suresh-Krishna-P That is fine. I have already cleaned up some. DUMMY_DEV_PASSWORD_FOR_LOCAL_DEVELOPMENT is a bit overkill. LOCAL_PASSWORD and LOCAL_API_KEY is better.