1.4 KiB
1.4 KiB
Security Remediation
Immediate actions
- Revoke and rotate any Gitea PAT previously stored in
backend/mappings.db. - Rotate any secrets encrypted with historical
ENCRYPTION_KEYvalues. - Reset affected local admin/test credentials if they ever existed outside disposable dev environments.
Purge git history
The repository history contains binary databases with sensitive data. Rewrite history before treating the repository as clean.
Recommended targets:
backend/mappings.dbbackend/tasks.dbbackend/auth.dbbackend/backend/auth.dbbackend/test_auth_debug.pybackend/test_decryption.pybackend/test_encryption.py
Example with git filter-repo:
git filter-repo \
--invert-paths \
--path backend/mappings.db \
--path backend/tasks.db \
--path backend/auth.db \
--path backend/backend/auth.db \
--path backend/test_auth_debug.py \
--path backend/test_decryption.py \
--path backend/test_encryption.py
After rewrite:
git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git push --force --all
git push --force --tags
Everyone with old clones must re-clone or hard-reset to the rewritten history.
Ongoing checks
Run:
./scripts/scan_secrets.sh
before release and before pushing history-rewrite results.