security Vulnerabilities in Unicorn.SharedSecret.config file

[sumant2919]

Report a bug
Received Vulnerabilities in Unicorn.SharedSecret.config file
Source file: main/src/Foundation/Serialization/code/App_Config/Include/Unicorn.SharedSecret.config

What is the expected behavior?
Can we encrypt this file?

Please mention your Sitecore version and Unicorn version.
Sitecore version 9.0 rev. 180604 (Update-2) and Unicorn version- 4.0.3

[cassidydotdk]

No. It's not up to Unicorn how you manage your configuration secrets. For normal developer work, using the file as you have it here is adequate. For upstream installations, this secret should be managed in an external environment variable - which would then ultimately come from your keyvault.

e.g.

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
	<sitecore>
		<unicorn>
			<authenticationProvider>
				<SharedSecret>$(env:UNICORN_SHARED_SECRET)</SharedSecret>
				<!-- 
					Writes the reason why failed automated tool authentications failed to the Sitecore logs.
					Will result in writing your shared secret to the logs as part of the signature base,
					so disable it unless you're debugging failed authentications.
				-->
				<WriteAuthFailuresToLog>false</WriteAuthFailuresToLog>
			</authenticationProvider>
		</unicorn>
	</sitecore>
</configuration>

And then in docker-compose

    environment:
      UNICORN_SHARED_SECRET: ${UNICORN_SHARED_SECRET}

Even if you don't run containerised, you will have other means of providing Sitecore with an environment variable that owns this setting.