Secret Migration Plan
Migrate all hardcoded secrets from source code repositories to Azure Key Vault (AKV).
Overview
- Organization: togethercca
- Project: tis-cca
- Total Repositories: 171
- Target: Azure Key Vault per environment
- Tool:
tis-secrets migrate(see README.md) - Created: 2026-02-19
Environments
| Env | Key Vault |
|---|---|
| Development | at-tgca-tis-d-default |
| Fachtest | at-tgca-tis-f-default |
| Prod | at-tgca-tis-p-default |
Tasks per Repository
For each repository the following steps must be completed:
- DEV - Migrate secrets to Development Key Vault
- FT - Migrate secrets to Fachtest Key Vault
- PROD - Migrate secrets to Prod Key Vault
- GIT - Clean git history (remove leaked secrets from all commits)
- ROT - Rotate all affected secrets (new passwords, keys, tokens)
- LIB - Upgrade tis.hosting library to newest version
Priority Legend
| Priority | Meaning |
|---|---|
| Critical | External-facing, high secret count, identity/auth system |
| High | External-facing or contains DB credentials / API keys |
| Medium | Internal service, limited exposure |
| Low | Library, tool, or minimal secret risk |
| TBD | Not yet assessed - needs initial scan |
| N/A | No secrets expected (documentation, templates, empty repos) |
Critical Priority
| # | Repository | DEV | FT | PROD | GIT | ROT | LIB | Notes | Challenges |
|---|---|---|---|---|---|---|---|---|---|
| 1 | tis.identity | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 12+ secrets, 11 OAuth ClientSecrets, DB-Creds, AD-Creds | |
| 2 | cca.intern.configurationManagement | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 124 MB repo - likely contains environment configs |
High Priority
| # | Repository | DEV | FT | PROD | GIT | ROT | LIB | Notes | Challenges |
|---|---|---|---|---|---|---|---|---|---|
| 3 | Tis.Partner.UniqaIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 7+ secrets, RSA Private Key, mTLS password, OAuth2 | |
| 4 | tis.identity.legacy.tisoauth | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 2 secrets, plaintext DB creds (omds/GE38@siemens) | .NET Framework app with multiple projects |
| 5 | TIS-Anmeldung | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 6 secrets, SQL creds in Web.config, SalesManago keys | .NET Framework 4.8 application |
| 6 | api.servicebytogether.at | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 3 secrets, OAuth2 ClientSecret, AI keys | |
| 7 | tis.anmeldung | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | 6 secrets, CCA-Online Secret identical across DEV/FT/PROD | |
| 8 | tis-cca.endkundenportal | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 4 secrets, DB password, WebSMS ApiKey | Does not use tis.hosting yet |
| 9 | Tis.Partner.RiskineIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 5+ secrets, OAuth2, Prod DB password, BasicToken | |
| 10 | Tis.Partner.GraweIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 4 secrets, Grawe OAuth2, TIS Introspection Secret | |
| 11 | Tis.Partner.ZuerichIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 4 secrets, ApiGateway ClientSecret, Prod creds in repo | |
| 12 | Tis.Partner.AllianzIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 5 secrets, DB password, hardcoded DataProtection password | |
| 13 | Tis.Partner.HDIIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 4 secrets, DB password, hardcoded DataProtection "secret" | |
| 15 | Tis.Partner.MukiIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 2 secrets, OAuth2 ClientSecrets | |
| 16 | Tis.Partner.WuestenrotIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 2 secrets, OAuth2, cert password same across all envs | |
| 17 | Tis.Partner.VAVIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | 2 secrets, VAV OAuth2, missing FT/Prod separation | |
| 18 | tis.core.services | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 7 secrets, DB creds (omds/GE38@siemens) in 7 appsettings | .NET Standard application |
Medium Priority
| # | Repository | DEV | FT | PROD | GIT | ROT | LIB | Notes | Challenges |
|---|---|---|---|---|---|---|---|---|---|
| 19 | Tis.Hosting.ApiGateway | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | 3 secrets, AdminPassword, AI ConnectionStrings | |
| 20 | tis.identity.api | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - identity API, likely has secrets | |
| 21 | Tis.Identity.Benutzerverwaltung | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - user management, likely has secrets | |
| 22 | Tis.Identity.Makleradmin | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - admin tool, likely has secrets | |
| 23 | tis.identity.oeamtcselfservice | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - external-facing self-service | |
| 24 | tis.identity.ovbselfservice | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - external-facing self-service | |
| 25 | tis.identity.trustcenter | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - certificate/trust related | |
| 26 | tis.identity.benutzeranlage | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - user provisioning | Still on .NET Core 2.1 — requires framework upgrade before or during migration |
| 27 | Tis.Identity.Legacy.TisAuthCookieSessionService | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - legacy auth service | Does not use tis.hosting.extensions yet |
| 28 | tis.identity.Legacy.TisUser | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - legacy user service | .NET Framework 4.7 |
| 29 | tis.identity.certificate.installer | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - certificate management | .NET Framework 4.8 |
| 31 | tis.riskine.anmeldung | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | No secrets found | |
| 32 | Tis.Partner.GeneraliIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - partner integration | |
| 33 | tis.partner.VigIntegration | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - partner integration | |
| 35 | Tis.Hosting.ApiGateway.config | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - API gateway configuration | |
| 36 | Tis.Hosting.Extensions | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - hosting extensions (may contain config) | |
| 37 | tis.hosting.shell | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | TBD - hosting shell | |
| 40 | tis.gf.api | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | TBD - GF API service | Uses tis.core libraries; references vulnerable RestSharp version |
| 41 | tis.gf | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | TBD - main GF application | TODO: re-run tests when DB server is back online |
| 42 | tis.gf.bp | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | No secrets found | |
| 43 | tis.gf.bp.oeamtc | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OEAMTC business process | NUnit tests not showing correctly in VS2025 Test Explorer |
| 48 | tis.gf.erv | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - electronic legal transactions | Leopoldo currently working on this app — revisit in a few days |
| 49 | tis.gf.esign | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - e-signature (89 MB, likely has cert secrets) | Projects split across 3 solutions — should be consolidated into one per project-structure.md guidelines; do this in a session with Leopoldo (scheduled 2026-03-17) |
| 51 | tis.gf.oeamtcUnfall | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | No pre-existing secrets | |
| 52 | tis.gf.omds3.vigong | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - VIG ONG integration | Migration deferred until 2026-03-16 (active development this week); keep upgrades minimal — app will be deprecated in favor of VigIntegration |
| 55 | tis.gf.smr5 | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - SMR5 (104 MB) | Complex app with many projects — discuss with Michael Hingel |
| 56 | tis.gf.stornoansuchen | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | TBD - cancellation requests | Uses tis.core libraries |
| 57 | tis.gf.trws | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - TRWS | Check if still in use before migrating |
| 59 | tis.gf.uniqa.service | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - UNIQA service integration | Check if still in use before migrating |
| 60 | tis.gf.wgp | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | TBD - WGP | Check telemetry setup with Moritz |
| 64 | tis.mandanten.vermittlerweb3 | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | TBD - broker web v3 | |
| 66 | tis.monitoring.dashboard | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - monitoring (may have connection strings) | Fix invalid characters issue first |
| 69 | tis.services.vertreiberkategorie | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - distributor category service | |
| 70 | tis.bestand.bestandsuebersicht | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | TBD - portfolio overview | |
| 71 | tis.bestand.klauselservice | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | TBD - clause service | |
| 73 | tis.bestand.omdsCollector | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OMDS collector | Windows Service, not ASP.NET — no tis.hosting support |
| 74 | tis.bestand.omdsdownload | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OMDS download | .NET Framework 4.6.2 application |
| 75 | tis.bestand.omdsFileUpload | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OMDS file upload | .NET Framework 4.6.1 application |
| 77 | tis.benutzer.druckdaten | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - user print data | .NET Core 2.1 — requires framework upgrade before or during migration |
| 78 | tis.datenverarbeitung.dbServices | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - DB services (likely has connection strings) | |
| 79 | tis.datenverarbeitung.ftpServices | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - FTP services (likely has FTP creds) | |
| 80 | tis.datenverarbeitung.tools | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - data processing tools | .NET Framework 4.0 — check if still in use before migrating |
| 84 | tis.volltextsuche | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - full-text search | |
| 85 | tis.pdftransformer.api | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | No secrets found | |
| 88 | tis.aduserunlockservice | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - AD user unlock (likely has AD creds) | .NET Core 2.1 — requires framework upgrade before or during migration |
| 89 | tis.userprofile | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | TBD - user profile service | |
| 90 | tis.userabgleich | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | TBD - user reconciliation | |
| 91 | tis.hybridgui.notifications | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | TBD - notification service | PROD deployment requires confirmation from Leopoldo |
| 92 | Tis.Omds3.DeepLink | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | TBD - OMDS3 deep link service | |
| 95 | tis.omdsx2024 | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OMDS X 2024 | Multiple active branches — deferred for later |
| 120 | tis.ssis.schnittstellen | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - SSIS interfaces | Ask Karl if still in use |
| 123 | ucl.tarifrechner | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - UCL tariff calculator | .NET Framework 4.5 |
Low Priority
| # | Repository | DEV | FT | PROD | GIT | ROT | LIB | Notes | Challenges |
|---|---|---|---|---|---|---|---|---|---|
| 124 | tis.core | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - core library | |
| 125 | tis.core.legacy.cca-aspose | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - Aspose license key? | |
| 126 | tis.cads.api.client | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - API client library | .NET Standard 2.1 |
| 129 | tis.identity.extensions.iis | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - IIS extension | .NET Framework 4.6.2 |
| 132 | tis.pdftransformer.client | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | No secrets found | |
| 133 | tis.services.pdftransformer.api.client | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - PDF API client lib | |
| 134 | tis.tarifconf.api.client | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - tariff config client (empty) | |
| 135 | tis.tarifconf.api.type | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - type definitions only | |
| 136 | tis.cmnkeyvalues-parent | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - key-value parent module | |
| 137 | tis.tools.clienthelper | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - client helper tool | |
| 138 | tis.utils.appsettings | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - appsettings utility | |
| 139 | Tis.Utils.AspNetCore.ApplicationInsights | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - App Insights utility | |
| 140 | tis.utils.mapstruct | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - MapStruct utility | |
| 141 | tis.utils.windowsupdate | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - Windows Update utility | |
| 142 | tiscca.bundle-loading | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - bundle loading | |
| 143 | tiscca.config-utils | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - config utility | |
| 144 | tiscca.global-utils | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - global utilities | |
| 145 | tiscca.jaxb-handler | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - JAXB handler | |
| 146 | tiscca.json-helper | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - JSON helper | |
| 147 | tiscca.userdata-modules | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - user data modules | |
| 150 | tis.omds3.error-types | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OMDS3 error types | |
| 151 | tis-cca.omds.core | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OMDS core library | |
| 152 | tis-cca.omds.omds3client | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - OMDS3 client (37 MB) | |
| 153 | tiscca.cads-parent | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - CADS parent module (100 MB) | |
| 154 | tis-cca.DataUtils.Filtering | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - data filtering utility | |
| 155 | tis-cca.DataUtils.Paging | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | TBD - data paging utility |
Archived / Disabled Repositories
These repositories are archived or disabled and are out of scope for the migration.
| # | Repository | Notes |
|---|---|---|
| 30 | tis.identity.certificate.ScepEnrollmentService | Disabled (archived repo) |
| 34 | Tis.Partner.Api | Inactive repo — last edited ~3 years ago, no pipelines |
| 44 | tis.gf.bpr5 | Legacy/disabled, unused repo |
| 45 | tis.gf.dochandler | Legacy/disabled, unused repo |
| 47 | tis.gf.dpa | Legacy repo — replaced by tis.gf.wgp |
| 50 | tis.gf.fba | Legacy repo — replaced by tis.gf.wgp |
| 53 | tis.gf.omds3engine.integrationservice | Disabled repo |
| 61 | tis.gf.zahlungsaenderung | Legacy app — functionality now part of tis.gf.wgp |
| 58 | tis.gf.uniqa.omds3RequestForwarder | Legacy repo |
| 62 | tis.gf.gfweitergabe | Incomplete rewrite attempt — untouched for 2 years, out of scope |
| 63 | tis.gf.abgleich | No longer in use (confirmed by Michael Hingel) |
| 65 | tis.vermittlerweb2 | Obsolete |
| 67 | tis.makler.vertreiberkategorie | Legacy repo — replaced by tis.services.vertreiberkategorie |
| 72 | tis.bestand.ole.autoOle | Legacy app — out of scope (587 MB) |
| 76 | tis.bestand.vnnumcheck | Legacy/unused — out of scope |
| 81 | tis.dwh | Legacy/disabled — out of scope |
| 82 | tis.dwh.ssas.tab | Legacy/disabled — out of scope |
| 83 | tis.intern.datasearch | Legacy/disabled — out of scope |
| 86 | tis.xml2pdf.transformer.csharp.poc | Old POC project — out of scope |
| 87 | tis.scheduler | Legacy — out of scope |
| 96 | tis.omds3.smr5.adapter | Disabled (archived repo) |
| 97 | tis.omds3.smR5Adataper | Disabled (archived repo) |
| 107 | tis-cca | Disabled (archived repo) |
| 101 | tiscca.kisservice.v2 | Disabled (.NET Framework 4.0) |
| 114 | cca.omdsmerge | Disabled (archived repo) |
| 116 | tis.ssis.datenverarbeitung | Disabled (archived repo) |
| 117 | tis.ssis.etl | Disabled (archived repo) |
| 118 | tis.ssis.etl-intern | Disabled (archived repo) |
| 119 | tis.ssis.reports | Disabled (archived repo) |
| 169 | tis-cca.ui.angularjs | Disabled (legacy AngularJS UI) |
Out of Scope — Non-.NET/C# Applications
These repositories are not .NET/C# applications and are out of scope for this phase of the migration. They are listed here for tracking purposes and will be addressed in a future phase.
| # | Repository | Priority | Notes | Challenges |
|---|---|---|---|---|
| 14 | tiscca.omds3services | High | 2 secrets, omds3.api Secret in 4 configs | Java application |
| 38 | tis.hguimenu.api | Medium | TBD - hybrid GUI menu API | Java application |
| 39 | tis.hguimenu.webconfig | Medium | TBD - web.config may contain secrets | Java application |
| 46 | tis.gf.document-creator | Medium | TBD - document creator | Java application |
| 54 | tis.gf.readonly | Medium | TBD - readonly GF | Java application |
| 68 | tis.services.cads54 | Medium | TBD - CADS service | Java application |
| 93 | tis.omds3services.deeplink | Medium | TBD - OMDS3 deep link | Java application |
| 94 | tis.omds3services.donau | Medium | TBD - OMDS3 Donau integration | Java application |
| 98 | tis.omds3.gli.evpconnect.proxy | Medium | TBD - GLI EVP connect proxy | Java application |
| 99 | tis.omds3.gli.kfz.proxy | Medium | TBD - GLI KFZ proxy | Java application |
| 100 | tiscca.omds3services-vigong-parent | Medium | TBD - VIG ONG parent (28 MB) | Java application |
| 102 | tiscca.cads.tarifconfig.api | Medium | TBD - tariff config API | Java application |
| 103 | tiscca.cads.webui | Medium | TBD - CADS web UI (51 MB) | Java application |
| 104 | tiscca.cads.webui-oeamtc | Medium | TBD - CADS OEAMTC web UI | Java application |
| 105 | tiscca.cads.dataview | Medium | TBD - CADS data view | Java application |
| 106 | tiscca.cads.oeamtc | Medium | TBD - CADS OEAMTC | Java application |
| 108 | tis-cca.admin-dashboard | Medium | TBD - admin dashboard | Angular application — check if still in use |
| 109 | tis-cca.ui.angular | Medium | TBD - Angular UI | Angular application |
| 110 | tis-cca.Infonet.GenerateSitemap | Medium | TBD - sitemap generator | JavaScript tool (active repo) |
| 111 | tis.wildfly.config.api | Medium | TBD - Wildfly config API | Java application |
| 148 | tis.wildfly.config.client | Low | TBD - Wildfly config client | Java application |
| 149 | tis.wildfly.config.types | Low | TBD - Wildfly config types | Java application |
| 112 | tiscca.maklerdaten-java.jersey.rest.client | Medium | TBD - Java REST client | Java application |
| 113 | cca.intern.ccaonlineAdminConsole | Medium | TBD - admin console | Angular application |
| 127 | tis.client.identiy | Low | TBD - identity client lib (note: typo in repo name) | Java application |
| 128 | tis.idsrv.client | Low | TBD - identity server client lib | Java application |
| 130 | tis.identity.api.javaclient | Low | TBD - Java client lib | Java application |
| 131 | tis.soagfx.restapis.client | Low | TBD - REST API client lib | Java application |
N/A (No Secrets Expected)
| # | Repository | Notes |
|---|---|---|
| 115 | Projekte.vig-avag-2025 | Documentation project, no code |
| 121 | tis.betrieb.scripts | Operations scripts, no application code |
| 122 | tis.betrieb.testuser | Test data management, no application code |
| 156 | tis.appinsights.telemetry | Telemetry library, no secrets expected |
| 157 | tis.autopreisspiegel.proxy | Empty repo (0 bytes) |
| 158 | tis.hybridgui.menu | Tiny repo (3 KB), UI menu config |
| 159 | tis.intern.omdsvalidator | Validator tool |
| 160 | tis.polizzenkopien-parser-poc | POC |
| 161 | tis.test.upload | Test upload tool |
| 162 | tis.vs-templates | Visual Studio templates |
| 163 | tis-cca.ckeditor | CKEditor config |
| 164 | tis-cca.documentation | This documentation repo |
| 165 | tis-cca.publicwebsite | Public website (11 KB) |
| 166 | tis-cca.styleguide | CSS/SCSS styleguide |
| 167 | tis-cca.testdata-management | Test data management |
| 168 | tis-cca.tool.mitschrift.vscode | VS Code extension |
| 170 | cca.demo | Demo repo |
| 171 | tis.riskine.anmeldung | No secrets found (Riskine login integration) |
Progress Summary
| Category | Total | Completed (all 6 tasks) | In Progress | Not Started |
|---|---|---|---|---|
| Critical | 2 | 0 | 0 | 2 |
| High | 15 | 0 | 11 | 4 |
| Medium | 52 | 4 | 20 | 28 |
| Low | 26 | 0 | 1 | 25 |
| Archived/Disabled | 30 | - | - | - |
| Non-.NET/C# | 28 | - | - | - |
| N/A | 18 | - | - | - |
| Total | 171 | 4 | 32 | 59 |
Process
Before Starting a Repo
- Clone/pull the repository
- Run
tis-secrets migrate --dry-runto identify secrets - Update priority and notes in this document based on findings
Migration Steps per Environment
- Run
tis-secrets migrate -v <vault> -p <prefix> -e <env>for each environment - Verify the application starts and functions correctly with AKV references
- Mark the environment checkbox as complete
Git History Cleanup
- Use
git filter-repoor BFG Repo Cleaner to remove secrets from history - Force-push the cleaned history
- Notify all developers to re-clone
Secret Rotation
- Generate new secrets/passwords/keys for all affected credentials
- Update the new values in Azure Key Vault
- Update any external systems (partner APIs, databases) with new credentials
- Verify application functionality after rotation
- Mark rotation checkbox as complete
Notes
- Repos marked TBD need an initial assessment with
tis-secrets migrate --dry-run - Priority assignments for assessed repos are based on Migration-Brainstorming.md
- Some repos may be reclassified after assessment (e.g., Medium -> High if secrets are found)
- Empty or archive repos may be moved to N/A after verification