[azure-cli] better default configuration to reduce chances of accidental data leaks

[MoChilia]

Description

The Azure cli has a tendency to be quite chatty and this can expose secrets stored in Azure in the logs of CI tools that run it.

There are a number of sensible configuration settings that can be applied to greatly reduced the chance of this happening:

core.only_show_errors=true
core.error_recommendation=off
core.collect_telemetry=false
logging.enable_log_file=false

These can either be set using az config or registered as environment variables. The latter being more secure as the AzureCLI@2 task in Azure pipelines ignores the global config by default.

Ideally azure-cli would detect it's running on a ci platform, using a package similar to is-ci.

This way command output isn't echo'ed to the log by default and also not written to disk where it can easily be intercepted.

I've suggested the actions-runner team would apply these settings on the GitHub Actions and Azure Pipelines hosted runners, but they feel it's up to the individual tools to act in a proper manner:

Expected behavior

Azure-cli is configured with sane CI/CD defaults.

There is an extension to Azure cli called init which provides sane automation defaults.

Actual behavior

Azure-cli is configured in standard interactive mode.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [azure-cli] better default configuration to reduce chances of accidental data leaks  #29
• [azure-cli] better default configuration to reduce chances of accidental data leaks #28

[github-actions]

This issue is related to security. Please pay attention.

[MoChilia]

Cite from actions/runner-image team: Thank you for your suggestion, but we prefer to use default settings since they are common for everyone. If you would like to change some behavior of Azure-cli you can try to do it in runtime.