Inicio Explorar Axuda
Iniciar sesión
logic855
/
claude-mods
réplica de https://github.com/0xDarkMatter/claude-mods.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: v2.4.2
Ramas Etiquetas
claude-mods
/
skills
/
push-gate
/
scripts
/
scan-secrets.sh

scan-secrets.sh 5.4 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 
  1. #!/usr/bin/env bash
    2. 

  2. # scan-secrets.sh — Secret-scan a pending push diff via gitleaks + regex layer.
    3. 

  3. #
    4. 

  4. # Usage:   scan-secrets.sh <remote> <branch>
    5. 

  5. # Exit:    0 clean, 1 secret hit, 5 missing dep
    6. 

  6. 

  7. set -euo pipefail
    8. 

  8. 

  9. REMOTE="${1:?usage: scan-secrets.sh <remote> <branch>}"
    10. 

  10. BRANCH="${2:?usage: scan-secrets.sh <remote> <branch>}"
    11. 

  11. 

  12. SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
    13. 

  13. PATTERNS_FILE="$SCRIPT_DIR/../references/secret-patterns.txt"
    14. 

  14. 

  15. # ── Dep check ─────────────────────────────────────────────────────────────────
    16. 

  16. if ! command -v gitleaks >/dev/null 2>&1; then
    17. 

  17.   cat >&2 <<'EOF'
    18. 

  18. push-gate: gitleaks not installed.
    19. 

  19. 

  20. Install:
    21. 

  21.   Windows (scoop):    scoop install gitleaks
    22. 

  22.   Windows (winget):   winget install gitleaks.gitleaks
    23. 

  23.   macOS:              brew install gitleaks
    24. 

  24.   Linux (apt):        apt install gitleaks
    25. 

  25.   Any platform:       https://github.com/gitleaks/gitleaks/releases
    26. 

  26. EOF
    27. 

  27.   exit 5
    28. 

  28. fi
    29. 

  29. 

  30. if ! command -v rg >/dev/null 2>&1; then
    31. 

  31.   echo "push-gate: ripgrep (rg) not installed. See https://github.com/BurntSushi/ripgrep" >&2
    32. 

  32.   exit 5
    33. 

  33. fi
    34. 

  34. 

  35. # ── Range to scan ─────────────────────────────────────────────────────────────
    36. 

  36. RANGE="${REMOTE}/${BRANCH}..${BRANCH}"
    37. 

  37. 

  38. if ! git rev-parse --verify "${REMOTE}/${BRANCH}" >/dev/null 2>&1; then
    39. 

  39.   echo "push-gate: remote ref ${REMOTE}/${BRANCH} not found locally — did you fetch?" >&2
    40. 

  40.   exit 5
    41. 

  41. fi
    42. 

  42. 

  43. COMMIT_COUNT="$(git rev-list --count "$RANGE")"
    44. 

  44. if [ "$COMMIT_COUNT" -eq 0 ]; then
    45. 

  45.   echo "push-gate: nothing to push (${RANGE} is empty)."
    46. 

  46.   exit 0
    47. 

  47. fi
    48. 

  48. 

  49. # ── Layer 1: gitleaks on the commit range ─────────────────────────────────────
    50. 

  50. echo "push-gate: scanning ${COMMIT_COUNT} commits via gitleaks (${RANGE})"
    51. 

  51. GITLEAKS_REPORT="$(mktemp -t gitleaks.XXXXXX.json)"
    52. 

  52. trap 'rm -f "$GITLEAKS_REPORT" "$DIFF_FILE" 2>/dev/null || true' EXIT
    53. 

  53. 

  54. GITLEAKS_EXIT=0
    55. 

  55. gitleaks detect \
    56. 

  56.   --source . \
    57. 

  57.   --log-opts="$RANGE" \
    58. 

  58.   --report-format=json \
    59. 

  59.   --report-path="$GITLEAKS_REPORT" \
    60. 

  60.   --redact \
    61. 

  61.   --no-banner \
    62. 

  62.   --exit-code=1 \
    63. 

  63.   2>&1 || GITLEAKS_EXIT=$?
    64. 

  64. 

  65. if [ "$GITLEAKS_EXIT" -ne 0 ]; then
    66. 

  66.   echo ""
    67. 

  67.   echo "═══════════════════════════════════════════════════════════════"
    68. 

  68.   echo "  SECRET DETECTED (gitleaks)"
    69. 

  69.   echo "═══════════════════════════════════════════════════════════════"
    70. 

  70.   if command -v jq >/dev/null 2>&1 && [ -s "$GITLEAKS_REPORT" ]; then
    71. 

  71.     jq -r '.[] | "  \(.RuleID) in \(.File):\(.StartLine) — \(.Description)"' "$GITLEAKS_REPORT" 2>/dev/null \
    72. 

  72.       || cat "$GITLEAKS_REPORT"
    73. 

  73.   else
    74. 

  74.     cat "$GITLEAKS_REPORT"
    75. 

  75.   fi
    76. 

  76.   echo ""
    77. 

  77.   echo "Refusing push. Remediate via one of:"
    78. 

  78.   echo "  1. If the secret is real: rotate it NOW, then rewrite history"
    79. 

  79.   echo "     (git filter-repo, BFG, or reset + re-commit)."
    80. 

  80.   echo "  2. If it is a false positive: add to .gitleaksignore at repo root"
    81. 

  81.   echo "     and commit, then re-run push-gate."
    82. 

  82.   exit 1
    83. 

  83. fi
    84. 

  84. 

  85. # ── Layer 2: regex corpus on the diff ─────────────────────────────────────────
    86. 

  86. echo "push-gate: regex layer on added lines"
    87. 

  87. DIFF_FILE="$(mktemp -t push-gate-diff.XXXXXX)"
    88. 

  88. git diff "$RANGE" > "$DIFF_FILE"
    89. 

  89. 

  90. # Extract added lines only (strip the leading '+'), ignore file-header lines
    91. 

  91. ADDED_FILE="$(mktemp -t push-gate-added.XXXXXX)"
    92. 

  92. grep -E '^\+' "$DIFF_FILE" | grep -vE '^\+\+\+ ' | sed 's/^+//' > "$ADDED_FILE" || true
    93. 

  93. 

  94. # Load patterns (skip blanks/comments)
    95. 

  95. PATTERN_ARGS=()
    96. 

  96. while IFS= read -r line; do
    97. 

  97.   case "$line" in
    98. 

  98.     ''|\#*) continue ;;
    99. 

  99.     *) PATTERN_ARGS+=(-e "$line") ;;
    100. 

  100.   esac
    101. 

  101. done < "$PATTERNS_FILE"
    102. 

  102. 

  103. # Run ripgrep with all patterns; capture matches
    104. 

  104. RAW_HITS="$(rg --no-filename --line-number --no-heading "${PATTERN_ARGS[@]}" "$ADDED_FILE" 2>/dev/null || true)"
    105. 

  105. 

  106. # Filter common false positives
    107. 

  107. FILTERED_HITS="$(
    108. 

  108.   printf '%s\n' "$RAW_HITS" \
    109. 

  109.     | grep -viE '(example|placeholder|\<dummy\>|\<fake\>|\<TODO\>|<unset>|os\.environ|process\.env|getenv|\$\{[A-Z_]+:-|\$\{[A-Z_]+\}|\$\([A-Z_]+\)|\$env:[A-Z_]+|\.\.\.<|\.\.\.')|\.\.\.'\s*$)' \
    110. 

  110.     || true
    111. 

  111. )"
    112. 

  112. 

  113. # Drop blank lines
    114. 

  114. FILTERED_HITS="$(printf '%s\n' "$FILTERED_HITS" | grep -v '^$' || true)"
    115. 

  115. 

  116. rm -f "$ADDED_FILE" "$DIFF_FILE"
    117. 

  117. 

  118. if [ -n "$FILTERED_HITS" ]; then
    119. 

  119.   echo ""
    120. 

  120.   echo "═══════════════════════════════════════════════════════════════"
    121. 

  121.   echo "  SECRET-PATTERN MATCH (regex layer)"
    122. 

  122.   echo "═══════════════════════════════════════════════════════════════"
    123. 

  123.   printf '%s\n' "$FILTERED_HITS" | head -40
    124. 

  124.   echo ""
    125. 

  125.   echo "Refusing push. These are added lines matching secret-shape patterns."
    126. 

  126.   echo "Each match must be confirmed safe (placeholder/reference) or redacted"
    127. 

  127.   echo "via history rewrite. See SKILL.md §False-positive handling."
    128. 

  128.   exit 1
    129. 

  129. fi
    130. 

  130. 

  131. echo "push-gate: secret scan CLEAN (gitleaks + regex layer)"
    132. 

  132. exit 0
    133.