[Buganizer ID: 470917810] Feature - New Integration: Google Secret Manager#685
[Buganizer ID: 470917810] Feature - New Integration: Google Secret Manager#685
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request adds a new integration for Google Secret Manager to the Google SecOps SOAR platform. The primary purpose of this change is to allow users to securely store and manage sensitive credentials within Google Cloud, eliminating the need to hardcode them directly into the SOAR platform. The integration includes a dedicated job to automate the synchronization of these secrets into relevant integration instances, connectors, and jobs, thereby improving security and operational efficiency. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the Google Secret Manager integration, which includes a Ping action for connectivity testing and a synchronization job for managing credentials. Feedback highlights several violations of the repository's style and security guidelines, including the need for standardized Ping action output messages, the mandatory use of yaml.safe_load() instead of json.loads(), and the addition of a 'Verify SSL' parameter. Furthermore, the PR requires updates to pyproject.toml for Python version bounds and dependencies, the inclusion of a uv.lock file, and a more comprehensive unit test suite modeled after existing reference integrations.
| def test_imports() -> None: | ||
| import_all_integration_modules(common.INTEGRATION_PATH) |
There was a problem hiding this comment.
The current test suite is incomplete. All new integrations must include comprehensive unit tests that cover core logic (e.g., client connectivity, secret retrieval, and job synchronization), modeled after the 'Golden Tests' in the Telegram or Sample Integration reference paths.
References
- All new features or integrations must include corresponding unit tests modeled after the Golden Tests in reference paths. (link)
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit cdc6746. Configure here.
adarshtwy
added
Python
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
1 similar comment
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
5 similar comments
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
|
❌ Marketplace Validation Failed Click to view the full reportValidation Report🧩 IntegrationsPre-Build Stagegoogle_secret_manager
|
adarshtwy
force-pushed
the
feature/new_integration_google_secret_manager
branch
from
1cce8a0 to
df5ba36
Compare
adarshtwy
force-pushed
the
feature/new_integration_google_secret_manager
branch
from
df5ba36 to
3fc9f4c
Compare
KrishnaSharma06
left a comment
KrishnaSharma06
left a comment
There was a problem hiding this comment.
Code Review Summary
I have reviewed the changes in PR #685.
Checks Performed
- Ruff: Found 133 errors. Please run
ruff check --fixto resolve auto-fixable issues and manually fix the rest. - Mypy: Found 19 errors, including type redefinition errors and missing None checks.
- Trailing Whitespaces: None found in the diff.
Compliance and Standards
- Missing Tests: > [!IMPORTANT]
MANDATORY: Tests must be created or updated for all new functionality or bug fixes. Only
test_imports.pywas found. Tests forPingaction andSyncIntegrationCredentialJobare missing.
I have added inline comments for specific Mypy and Ruff issues found in SyncIntegrationCredentialJob.py. Please address them and add the required tests.
| InvalidConfigurationError: If the YAML/JSON string is invalid. | ||
| """ | ||
| try: | ||
| self.credential_mapping: SingleJson = yaml.safe_load( |
There was a problem hiding this comment.
Mypy Error: Attribute credential_mapping already defined on line 72. Remove the type annotation : SingleJson here to fix it.
| secret_id = str(mapped_value) | ||
| try: | ||
| secret_id, version_id = self._resolve_secret_and_version(mapped_value) | ||
| secret_value: str = self.secret_manager_client.get_secret_value( |
There was a problem hiding this comment.
Mypy Error: Item None of GoogleSecretManagerClient | None has no attribute get_secret_value. Add an assertion or check to ensure self.secret_manager_client is not None before this call.
| self.logger.info("No connectors configured. Skipping.") | ||
| return None | ||
|
|
||
| self.connector_name_to_identifier: NameIdentifierMap = ( |
There was a problem hiding this comment.
Mypy Error: Attribute connector_name_to_identifier already defined on line 74. Remove the type annotation : NameIdentifierMap here to fix it.
| ): | ||
| job_instances: list[SingleJson] = installed_jobs_response["job_instances"] | ||
| elif isinstance(installed_jobs_response, list): | ||
| job_instances: list[SingleJson] = installed_jobs_response |
There was a problem hiding this comment.
Mypy Error: Name job_instances already defined on line 488. Remove the type annotation : list[SingleJson] here to fix it.
| return None | ||
|
|
||
| # Shallow copy to avoid mutating the original dict in the lookup. | ||
| job_data: SingleJson = dict(job_data) |
There was a problem hiding this comment.
Mypy Error: Name job_data already defined on line 580. Remove the type annotation : SingleJson here to fix it.
| parameters[idx]["value"] = secret_value | ||
| updated_count += 1 | ||
| self.logger.info( | ||
| f"Set '{param_name}' on job '{job_name}' from secret '{secret_id}' version '{version_id}'." |
There was a problem hiding this comment.
Ruff Error (E501): Line too long (111 > 100).
2 participants
New Integration: Google Secret Manager
Description
This PR introduces the Google Secret Manager integration for Google SecOps SOAR. It allows users to centralize their credentials on GCP and dynamically fetch and inject them into integration instances, connectors, and jobs without hardcoding sensitive data into the platform.
Please provide a detailed description of your changes. This helps reviewers understand your work and its context.
Note
High Risk
High risk because it introduces new credential-handling and automated secret injection logic that can overwrite integration/connector/job configuration values and depends on cloud auth flows.
Overview
Adds a new
GoogleSecretManagerSOAR integration that can authenticate to GCP Secret Manager via either Service Account JSON or Workload Identity impersonation, and includes aPingaction to validate connectivity.Introduces a
Sync Integration Credential Jobthat reads a JSON mapping, fetches secrets (auto-resolving latest enabled versions when not specified), and pushes values into SOAR integration instance config, connector parameters, and job parameters via SOAR APIs; includes new packaging metadata (pyproject.toml, Python 3.11), release notes, and basic import tests/assets.Reviewed by Cursor Bugbot for commit cdc6746. Bugbot is set up for automated code reviews on this repo. Configure here.