Security question
Closed this issue · 2 comments
Hello,
I would like to start using your plugin in my company to measure our public website performance.
Is there any security issue that may happen on Azure DevOps?
Thanks
Hi @fpl1976 !
This Azure DevOps extension is basically a wrapper of the Node.js Google Lighthouse open-source tool, which is now included in Google Chrome development tools. By default, the extension always install the latest available version of Google Lighthouse. The extension code itself and its deployment code is hosted here on GitHub, so feel free to have a look if you have any concerns about it.
Regarding Azure DevOps, I'm assuming that your ADO organization is private. The pipelines themselves can also be restricted to a specific group of people of your organization.
The reports generated by Google Lighthouse are stored in the temporary folder of the ADO agent. As your website is public, anyone could actually generate the same reports by using Google Chrome devtools - if they have its URL.
If at some point you need to test websites that have authentication, make sure to use secret variables in the Lighthouse CLI arguments so the passwords won't be shown in the pipeline logs.
Finally, just a piece of advice: you should use an agent that is powerful enough to run the Google Lighthouse benchmark as it relies on Google Chrome. Default ADO free agents are kind of weak and the benchmark results could not reflect the real performance of your website.