#!/bin/bash # Advanced Secret Detection Script # This script checks for actual secrets, not legitimate authentication code set -e # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color print_status() { echo -e "${GREEN}✅ $1${NC}" } print_warning() { echo -e "${YELLOW}⚠️ $1${NC}" } print_error() { echo -e "${RED}❌ $1${NC}" } echo "🔍 Advanced secret detection..." SECRETS_FOUND=false # Check for hardcoded secrets (more specific patterns) echo "Checking for hardcoded secrets..." # Check for actual API keys, tokens, passwords (not variable names) if grep -r -E "(api[_-]?key|secret[_-]?key|private[_-]?key|access[_-]?token|bearer[_-]?token)\s*[:=]\s*['\"][^'\"]{20,}" \ --include="*.js" --include="*.ts" --include="*.json" --include="*.env*" . | \ grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test"; then print_error "Hardcoded API keys or tokens found!" SECRETS_FOUND=true fi # Check for database connection strings with credentials (excluding .env files) if grep -r -E "(postgresql|mysql|mongodb)://[^:]+:[^@]+@" \ --include="*.js" --include="*.ts" --include="*.json" . | \ grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test" | \ grep -v ".env"; then print_error "Database connection strings with credentials found in source code!" SECRETS_FOUND=true fi # Check for AWS/cloud service credentials if grep -r -E "(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key|azure[_-]?account[_-]?key|gcp[_-]?service[_-]?account)" \ --include="*.js" --include="*.ts" --include="*.json" --include="*.env*" . | \ grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test"; then print_error "Cloud service credentials found!" SECRETS_FOUND=true fi # Check for .env files in git (should be in .gitignore) if git ls-files | grep -E "\.env$|\.env\."; then print_error ".env files found in git repository!" SECRETS_FOUND=true fi # Check for common secret file patterns if find . -name "*.pem" -o -name "*.key" -o -name "*.p12" -o -name "*.pfx" | grep -v node_modules | grep -v ".git"; then print_error "Certificate or key files found in repository!" SECRETS_FOUND=true fi # Check for JWT secrets or signing keys if grep -r -E "(jwt[_-]?secret|signing[_-]?key|encryption[_-]?key)\s*[:=]\s*['\"][^'\"]{32,}" \ --include="*.js" --include="*.ts" --include="*.json" --include="*.env*" . | \ grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test"; then print_error "JWT secrets or signing keys found!" SECRETS_FOUND=true fi if [ "$SECRETS_FOUND" = false ]; then print_status "No actual secrets found in code" else print_error "Potential secrets detected - please review and remove" exit 1 fi echo "🔍 Secret detection completed!"