Protecting sensitive data
There are cases where developers need to use sensitive information in their bot (e.g. some API key) or just hide their bot code from the public. While Forta does not currently support storage of secrets (since all bot images are stored in a public repository), developers can still use JWT authentication or code obfuscation as two ways to protect sensitive data.
It should be noted that obfuscation is not the same as encryption, and that obfuscation can potentially be reversed with enough effort. With this in mind, we do not recommend storing high-value secrets in your bots. Instead, you can use the pattern for JWT authentication for bots to securely load secrets without storing them in the code.
npm run obfuscate. The script in package.json will look like:
It is recommended to obfuscate before building your bot image so that you can verify the results of the obfuscation and make sure it meets your expectations. You can also try running the obfuscated code to verify that it still works by moving the obfuscated files over to the src folder. Please note that the
The obfuscation-config.js contains a number of settings for manipulating the code. You may want to tweak these settings in order to further obfuscate your code. There are a few preset options you can experiment with to achieve your desired level of obfuscation. Keep in mind that there will be a tradeoff between obfuscation and performance when tweaking these settings.
Be careful if tweaking the obfuscation-config.js settings, as some of the options could potentially break your code. For example, the
selfDefending option will prevent your code from running if it is formatted in any way after being obfuscated. See the complete list of options to get a better understanding.
Updating the Dockerfile
The Dockerfile in the example is slightly modified to copy the obfuscated source code from the obfuscated folder instead of the src folder:
This will ensure only the obfuscated code gets published in the bot image.
Awesome! You now have an obfuscated bot that can store sensitive data in a publicly available image.