30 lines
1.4 KiB
Bash
Executable File
30 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# [DEF:scan_secrets:Module]
|
|
# @PURPOSE: Utility script for scan_secrets
|
|
# @TIER: TRIVIAL
|
|
# @COMPLEXITY: 1
|
|
set -euo pipefail
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
cd "${ROOT_DIR}"
|
|
|
|
echo "[scan] working tree patterns"
|
|
rg -nI \
|
|
--glob '!frontend/node_modules/**' \
|
|
--glob '!.svelte-kit/**' \
|
|
--glob '!dist/**' \
|
|
--glob '!build/**' \
|
|
'(AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-_]{35}|sk_live_[0-9A-Za-z]{16,}|sk_test_[0-9A-Za-z]{16,}|gh[pousr]_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|glpat-[A-Za-z0-9\-_]{20,}|hf_[A-Za-z0-9]{20,}|-----BEGIN (RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----|https?://[^/@[:space:]]+:[^@[:space:]]+@|ENCRYPTION_KEY[[:space:]]*=|AUTH_SECRET_KEY[[:space:]]*=)' \
|
|
| rg -v 'oauth2:(token|secret)@' || true
|
|
|
|
echo "[scan] tracked env and database artifacts"
|
|
git ls-files | rg '(^|/)\.env($|\.)|(^|/).*\.(db|sqlite|pem|p12|pfx|crt|key)$' || true
|
|
|
|
echo "[scan] git history patterns"
|
|
git grep -nIE \
|
|
'(AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-_]{35}|sk_live_[0-9A-Za-z]{16,}|sk_test_[0-9A-Za-z]{16,}|gh[pousr]_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|glpat-[A-Za-z0-9\-_]{20,}|hf_[A-Za-z0-9]{20,}|-----BEGIN (RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----|https?://[^/@[:space:]]+:[^@[:space:]]+@|ENCRYPTION_KEY[[:space:]]*=|AUTH_SECRET_KEY[[:space:]]*=)' \
|
|
$(git rev-list --all) \
|
|
| rg -v 'oauth2:(token|secret)@' || true
|
|
|
|
# [/DEF:scan_secrets:Module]
|