65 lines
1.8 KiB
Bash
Executable File
65 lines
1.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
secret_scan_paths() {
|
|
local scan_root="${1:-}"
|
|
shift || true
|
|
|
|
if [ -z "$scan_root" ]; then
|
|
echo "secret_scan_paths requires scan root" >&2
|
|
return 1
|
|
fi
|
|
|
|
local patterns='(sk-[A-Za-z0-9_-]+|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{35}|ghp_[A-Za-z0-9]{36}|xox[baprs]-[A-Za-z0-9-]{10,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----|authorization:[[:space:]]*bearer[[:space:]]+[A-Za-z0-9._-]{8,}|api[_-]?key[[:space:]]*[:=][[:space:]]*[A-Za-z0-9._-]{8,})'
|
|
local excludes=(
|
|
'--exclude=verify_phase6.sh'
|
|
'--exclude=secret_gate_lib.sh'
|
|
'--exclude=secret_gate_test.sh'
|
|
'--exclude=.env.example'
|
|
'--exclude=README.md'
|
|
'--exclude=CONFIGURATION.md'
|
|
'--exclude=DEPLOYMENT.md'
|
|
'--exclude-dir=.git'
|
|
'--exclude-dir=.serena'
|
|
'--exclude-dir=node_modules'
|
|
'--exclude-dir=dist'
|
|
'--exclude-dir=logs'
|
|
'--exclude-dir=reports'
|
|
)
|
|
|
|
if grep -R -n -E -i "$patterns" "$scan_root" "$@" \
|
|
--include='*.go' \
|
|
--include='*.ts' \
|
|
--include='*.tsx' \
|
|
--include='*.js' \
|
|
--include='*.jsx' \
|
|
--include='*.sh' \
|
|
--include='*.yml' \
|
|
--include='*.yaml' \
|
|
"${excludes[@]}"; then
|
|
return 1
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
secret_env_files() {
|
|
local dockerignore_path="$1"
|
|
|
|
if [ ! -f "$dockerignore_path" ]; then
|
|
echo "missing dockerignore: $dockerignore_path" >&2
|
|
return 1
|
|
fi
|
|
|
|
if ! grep -Eq '^\.env(\..*)?$' "$dockerignore_path"; then
|
|
echo "missing .env ignore rule in $dockerignore_path" >&2
|
|
return 1
|
|
fi
|
|
|
|
if ! grep -Eq '^!\.env\.example$' "$dockerignore_path"; then
|
|
echo "missing explicit .env.example allow rule in $dockerignore_path" >&2
|
|
return 1
|
|
fi
|
|
|
|
return 0
|
|
}
|