Security is taken seriously in this project. As a contributor, you should follow security best practices in code and process:
-
Secure Coding: Ensure that sensitive information (credentials, tokens) is handled safely. Do not hard-code secrets or write code that would inadvertently leak credentials (for example, via logs as mentioned, or error messages). Use the provided Terraform SDK facilities for sensitive values if needed (Terraform can mark certain schema fields as sensitive so they don't show in CLI output). Also, validate inputs from users to avoid injection issues (though Terraform itself shields a lot, e.g., no direct SQL or script execution concerns in a provider).
-
PII Scrubbing: As highlighted in testing guidelines, do not include real personal or sensitive data in the repository – this includes example configs, test fixtures, and documentation. Use placeholder values for emails, GUIDs, etc.
-
Dependency Management: The provider relies on Go modules. If you add a new dependency, prefer well-maintained libraries. Avoid introducing dependencies with incompatible licenses or known vulnerabilities. Run
make depsto tidy up go.mod. The CI and repository maintainers will periodically check for vulnerable dependencies (e.g., via Dependabot). -
Reporting and Disclosure: If you find a security vulnerability in the provider (or the underlying APIs), do not open a public issue. Instead, report it privately as per the SECURITY.md instructions. Typically, this involves emailing Microsoft Security Response Center (secure@microsoft or similar) or using the report function. Microsoft follows Coordinated Vulnerability Disclosure, meaning we will work on a fix privately and publish it in coordination with a security advisory.
Additionally, all contributors must sign the Microsoft CLA (Contributor License Agreement) which is a legal requirement to contribute—this is handled automatically when you open a PR, via a bot checking your GitHub account’s CLA status. While not a security measure per se, it ensures all contributions are properly licensed to the project.
Finally, adhere to the Microsoft Open Source Code of Conduct in all interactions. A respectful, inclusive community is part of project security too (ensuring a safe environment for contributors).
If you are implementing a feature that touches on security (for example, integration with Azure Key Vault or storing credentials), flag it to maintainers early. They might have additional guidelines or review steps. Also be aware that the provider may undergo security reviews, and code that handles auth or networking will be scrutinized. Keeping functions simple, documented, and following the principle of least privilege will help.