denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b06151739f689d2da67d94cfb29b30e04f848ddd
portfolio/scripts/check-secrets.sh
denshooter f7e0172111
Some checks failed
CI/CD Pipeline / test (push) Successful in 10m54s
Details
Security Scan / security (push) Failing after 5m21s
Details
CI/CD Pipeline / security (push) Successful in 5m25s
Details
CI/CD Pipeline / build (push) Failing after 2m27s
Details
CI/CD Pipeline / deploy (push) Has been skipped
Details
Refactor security scanning and database setup 
- Update security scan workflow to utilize a dedicated script for checking secrets, improving detection accuracy.
- Modify database connection setup in multiple scripts to use an environment variable fallback for DATABASE_URL, enhancing flexibility in different environments.
2025-09-11 11:17:35 +02:00

86 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Advanced Secret Detection Script
# This script checks for actual secrets, not legitimate authentication code
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
print_status() {
echo -e "${GREEN}$1${NC}"
}
print_warning() {
echo -e "${YELLOW}⚠️ $1${NC}"
}
print_error() {
echo -e "${RED}$1${NC}"
}
echo "🔍 Advanced secret detection..."
SECRETS_FOUND=false
# Check for hardcoded secrets (more specific patterns)
echo "Checking for hardcoded secrets..."
# Check for actual API keys, tokens, passwords (not variable names)
if grep -r -E "(api[_-]?key|secret[_-]?key|private[_-]?key|access[_-]?token|bearer[_-]?token)\s*[:=]\s*['\"][^'\"]{20,}" \
--include="*.js" --include="*.ts" --include="*.json" --include="*.env*" . | \
grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test"; then
print_error "Hardcoded API keys or tokens found!"
SECRETS_FOUND=true
fi
# Check for database connection strings with credentials (excluding .env files)
if grep -r -E "(postgresql|mysql|mongodb)://[^:]+:[^@]+@" \
--include="*.js" --include="*.ts" --include="*.json" . | \
grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test" | \
grep -v ".env"; then
print_error "Database connection strings with credentials found in source code!"
SECRETS_FOUND=true
fi
# Check for AWS/cloud service credentials
if grep -r -E "(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key|azure[_-]?account[_-]?key|gcp[_-]?service[_-]?account)" \
--include="*.js" --include="*.ts" --include="*.json" --include="*.env*" . | \
grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test"; then
print_error "Cloud service credentials found!"
SECRETS_FOUND=true
fi
# Check for .env files in git (should be in .gitignore)
if git ls-files | grep -E "\.env$|\.env\."; then
print_error ".env files found in git repository!"
SECRETS_FOUND=true
fi
# Check for common secret file patterns
if find . -name "*.pem" -o -name "*.key" -o -name "*.p12" -o -name "*.pfx" | grep -v node_modules | grep -v ".git"; then
print_error "Certificate or key files found in repository!"
SECRETS_FOUND=true
fi
# Check for JWT secrets or signing keys
if grep -r -E "(jwt[_-]?secret|signing[_-]?key|encryption[_-]?key)\s*[:=]\s*['\"][^'\"]{32,}" \
--include="*.js" --include="*.ts" --include="*.json" --include="*.env*" . | \
grep -v node_modules | grep -v ".git" | grep -v ".next/" | grep -v "test"; then
print_error "JWT secrets or signing keys found!"
SECRETS_FOUND=true
fi
if [ "$SECRETS_FOUND" = false ]; then
print_status "No actual secrets found in code"
else
print_error "Potential secrets detected - please review and remove"
exit 1
fi
echo "🔍 Secret detection completed!"
Reference in New Issue View Git Blame Copy Permalink