Sentry token in repository via sentry.properties

Question

While my DSN is in a .env file and hidden from the repo browsers, I find it disturbing that my auth token is in the sentry.properties file for all to see.
I'm having trouble understanding what this means and how much of a security risk is it to let people outside my organization read this file?
(I have outsourced developers doing odd jobs for me on the repo)

HazA · Accepted Answer · 2018-01-23T11:34:52.747

13

We recommend treating a sentry.properties like an .env file.

It is basically the same, so you should add it to your e.g. .gitignore.

The reason why it's called sentry.properties is because of android gradle, we needed it to be read natively.

edited Jan 23 '18 at 11:34

answered Jan 22 '18 at 07:56

HazA

1,274
12
17

3

if we gitignore this file, how do we provide this information to the ci server for automatic deployments? currently the ci server picks it up from within the git repo – gaurav5430 Mar 07 '20 at 08:20
@gaurav5430 In Sentry official cli docs it says that these values can be configured using environment variables https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-sentry-cli – kachar May 06 '21 at 07:46
2

@kachar Does this also applies for React Native projects? Cause for RN projects the `sentry.properties` file is inside `ios/` and `android/` – Chan Jing Hong Aug 19 '21 at 12:46
Yeah I can add it to .gitignore file but I'm uncomfortable with leaving it in my app, cause when I bundle the app, it's possible for the app to be reversed-engineered and the token will be visible. Right now, I use the --dart-define-from-file to handle all my secret keys in the app but I'm not sure how to use this with sentry.properties file. – Frankdroid7 Aug 25 '23 at 09:28

kachar · Answer 2 · 2021-05-06T07:56:22.063

7

Alternatively to the sentry.properties file, the cli can be configured using environment variables as the docs says:

Property name	Environment variable
`defaults.url`	`SENTRY_URL`
`defaults.org`	`SENTRY_ORG`
`defaults.project`	`SENTRY_PROJECT`
`auth.token`	`SENTRY_AUTH_TOKEN`

The environment variables will take precedence over values set in the properties file

In this way you can set the static fields in sentry.properties like url, org, project and pass as Env only the SENTRY_AUTH_TOKEN in CI mode

edited May 06 '21 at 07:56

answered May 06 '21 at 07:48

kachar

2,310
30
32

Does this also applies for React Native projects? Cause for RN projects the `sentry.properties` file is inside `ios/` and `android/` – Chan Jing Hong Aug 19 '21 at 12:46
@ChanJingHong for React Native you might wanna check the docs at https://docs.sentry.io/platforms/react-native/configuration/environments/. Anyway Sentry CLI is not running in React Native environment, so it should be a concern of the deployment procedure (CI). – kachar Aug 24 '21 at 04:30

Sentry token in repository via sentry.properties

2 Answers2