Devin
fdb14dc420
Some checks failed
CI / Backend (go 1.23.x) (pull_request) Successful in 56s
CI / Backend security scanners (pull_request) Failing after 40s
CI / Frontend (node 20) (pull_request) Successful in 2m19s
CI / gitleaks (secret scan) (pull_request) Failing after 7s
e2e-full / e2e-full (pull_request) Has been skipped
Two small follow-ups to the out-of-band git-history rewrite that
purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and
tag:
.gitleaks.toml:
- Regex was L@kers?\$?2010 which catches the expanded form but
NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3
in scripts/setup-database.sh. PR #13 fixed the live leak but did
not tighten the detector. New regex L@kers?\\?\$?2010 catches
both forms so future pastes of either form fail CI.
- Description rewritten without the literal password (the previous
description was redacted by the history rewrite itself and read
'Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)'
which was cryptic).
docs/SECURITY.md:
- New 'History-purge audit trail' section recording what was done,
how it was verified (0 literal password matches in any blob or
commit message; 0 legacy-password findings from a post-rewrite
gitleaks scan), and what operator cleanup is still required on
the Gitea host to drop the 13 refs/pull/*/head refs that still
pin the pre-rewrite commits (the update hook declined those refs
over HTTPS, so only an admin on the Gitea VM can purge them via
'git update-ref -d' + 'git gc --prune=now' in the bare repo).
- New 'Re-introduction guard' subsection pointing at the tightened
regex and commit 78e1ff5.
Verification:
gitleaks detect --no-git --source . --config .gitleaks.toml # 0 legacy hits
git log --all -p | grep -cE 'L@ker\$2010|L@kers2010' # 0
25 lines
877 B
TOML
25 lines
877 B
TOML
# gitleaks configuration for explorer-monorepo.
|
|
#
|
|
# Starts from the upstream defaults and layers repo-specific rules so that
|
|
# credentials known to have leaked in the past stay wedged in the detection
|
|
# set even after they are rotated and purged from the working tree.
|
|
#
|
|
# See docs/SECURITY.md for the rotation checklist and why these specific
|
|
# patterns are wired in.
|
|
|
|
[extend]
|
|
useDefault = true
|
|
|
|
[[rules]]
|
|
id = "explorer-legacy-db-password-L@ker"
|
|
description = "Legacy hardcoded Postgres / SSH password (redacted). Matches both the expanded form and the shell-escaped form (backslash-dollar) that appeared in scripts/setup-database.sh."
|
|
regex = '''L@kers?\\?\$?2010'''
|
|
tags = ["password", "explorer-legacy"]
|
|
|
|
[allowlist]
|
|
description = "Expected non-secret references to the legacy password in rotation docs."
|
|
paths = [
|
|
'''^docs/SECURITY\.md$''',
|
|
'''^CHANGELOG\.md$''',
|
|
]
|