fix(vcr): anonymize secrets in VCR test cassettes (#4150)#4321
fix(vcr): anonymize secrets in VCR test cassettes (#4150)#4321Toshika-Kamble wants to merge 1 commit into
Conversation
📝 WalkthroughWalkthroughMultiple test VCR fixtures now filter additional API-key header variants, and many also redact the ChangesVCR redaction updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~15 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
packages/opentelemetry-instrumentation-langchain/tests/conftest.py (1)
146-182: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy liftConsider centralizing the shared VCR redaction defaults.
This header/query/body masking pattern now appears across many instrumentation packages in the same cohort. Pulling the common
vcr_config()pieces into a shared test helper would reduce drift and make future secret-filter updates a one-file change. As per coding guidelines,**/tests/**/*.py:Ensure VCR cassettes never contain secrets or PII; scrub them using VCR filters....🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/opentelemetry-instrumentation-langchain/tests/conftest.py` around lines 146 - 182, Centralize the repeated VCR redaction setup used by vcr_config() so the shared header, query, and body masking defaults live in one test helper instead of being duplicated per package. Update this conftest.py to consume the common helper while preserving the existing secret filters for authorization/api-key headers, api_key query/body scrubbing, and IMDS ignore_hosts behavior so cassette sanitization stays consistent across instrumentation tests.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@packages/opentelemetry-instrumentation-langchain/tests/conftest.py`:
- Around line 146-182: Centralize the repeated VCR redaction setup used by
vcr_config() so the shared header, query, and body masking defaults live in one
test helper instead of being duplicated per package. Update this conftest.py to
consume the common helper while preserving the existing secret filters for
authorization/api-key headers, api_key query/body scrubbing, and IMDS
ignore_hosts behavior so cassette sanitization stays consistent across
instrumentation tests.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 49aa68ec-5e1b-4e74-9373-c0ee060646df
📒 Files selected for processing (26)
packages/opentelemetry-instrumentation-agno/tests/conftest.pypackages/opentelemetry-instrumentation-alephalpha/tests/conftest.pypackages/opentelemetry-instrumentation-anthropic/tests/conftest.pypackages/opentelemetry-instrumentation-bedrock/tests/conftest.pypackages/opentelemetry-instrumentation-cohere/tests/conftest.pypackages/opentelemetry-instrumentation-google-generativeai/tests/conftest.pypackages/opentelemetry-instrumentation-groq/tests/traces/conftest.pypackages/opentelemetry-instrumentation-haystack/tests/conftest.pypackages/opentelemetry-instrumentation-langchain/tests/conftest.pypackages/opentelemetry-instrumentation-llamaindex/tests/conftest.pypackages/opentelemetry-instrumentation-mistralai/tests/conftest.pypackages/opentelemetry-instrumentation-openai-agents/tests/conftest.pypackages/opentelemetry-instrumentation-openai/tests/conftest.pypackages/opentelemetry-instrumentation-openai/tests/metrics/conftest.pypackages/opentelemetry-instrumentation-openai/tests/traces/conftest.pypackages/opentelemetry-instrumentation-pinecone/tests/conftest.pypackages/opentelemetry-instrumentation-replicate/tests/conftest.pypackages/opentelemetry-instrumentation-sagemaker/tests/conftest.pypackages/opentelemetry-instrumentation-together/tests/conftest.pypackages/opentelemetry-instrumentation-vertexai/tests/conftest.pypackages/opentelemetry-instrumentation-voyageai/tests/conftest.pypackages/opentelemetry-instrumentation-watsonx/tests/metrics/conftest.pypackages/opentelemetry-instrumentation-watsonx/tests/traces/conftest.pypackages/opentelemetry-instrumentation-weaviate/tests/conftest.pypackages/traceloop-sdk/tests/conftest.pypackages/traceloop-sdk/tests/guardrails/conftest.py
Description
This PR implements the best-practice recommendation raised in the original issue. The changes address findings from their AI PatchLab security scan, which flagged several Git-leaks matches (such as generic API keys and JWTs) being recorded in plaintext within the VCR test cassettes.
To resolve this, the VCR configurations have been updated to proactively anonymize and mask these sensitive headers and query parameters before recording.
Changes
conftest.pyacross 26 instrumentation packages.filter_headersandfilter_query_parametersto strip out sensitive credentials (likeapi-key,x-api-key, and access tokens) to keep the recorded cassettes clean and secure.feat(instrumentation): ...orfix(instrumentation): ....Closes #4150
Summary by CodeRabbit