-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathverify-no-secrets.sh
More file actions
executable file
·101 lines (86 loc) · 3.13 KB
/
verify-no-secrets.sh
File metadata and controls
executable file
·101 lines (86 loc) · 3.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/bin/bash
# Script to verify no secrets are present in the repository
# Run this before making the repository public
set -e
echo "🔍 Verifying repository for secrets..."
echo ""
FOUND_ISSUES=0
# Check for common secret patterns
echo "Checking for potential secrets in files..."
# Patterns to search for
PATTERNS=(
"AIza[0-9A-Za-z-_]{35}" # Google API key
"0x4AAAAAAA[A-Za-z0-9_-]{32}" # Turnstile secret pattern
"sk-[A-Za-z0-9]{32}" # OpenAI API key
"ghp_[A-Za-z0-9]{36}" # GitHub personal access token
"ghs_[A-Za-z0-9]{36}" # GitHub secret
"password\s*=\s*[\"'][^\"']+[\"']" # Password assignments
"secret\s*=\s*[\"'][^\"']+[\"']" # Secret assignments
"token\s*=\s*[\"'][^\"']+[\"']" # Token assignments
)
for pattern in "${PATTERNS[@]}"; do
echo -n " Checking for pattern: ${pattern:0:20}... "
if grep -r -E "$pattern" --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=dist --exclude="*.lock" --exclude="verify-no-secrets.sh" . 2>/dev/null; then
echo "❌ FOUND!"
FOUND_ISSUES=$((FOUND_ISSUES + 1))
else
echo "✅ Clean"
fi
done
# Check for specific known secrets that were removed
echo ""
echo "Checking for specific removed secrets..."
REMOVED_SECRETS=(
"0x4AAAAAAABiq4xGK4Dbs8cfnWQiDYt7_WQ" # Old Turnstile secret
"0x4AAAAAAABiq8SlsW8IhYCkxYJVu7Yj2gk" # New Turnstile secret
)
for secret in "${REMOVED_SECRETS[@]}"; do
echo -n " Checking for: ${secret:0:20}... "
if grep -r -F "$secret" --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=dist --exclude="*.lock" --exclude="verify-no-secrets.sh" . 2>/dev/null; then
echo "❌ FOUND! This secret must be removed!"
FOUND_ISSUES=$((FOUND_ISSUES + 1))
else
echo "✅ Not found (good)"
fi
done
# Check for .env files
echo ""
echo "Checking for environment files..."
if [ -f ".env" ]; then
echo " ❌ .env file exists! Remove it before going public!"
FOUND_ISSUES=$((FOUND_ISSUES + 1))
else
echo " ✅ No .env file found"
fi
# Check .gitignore
echo ""
echo "Checking .gitignore..."
if grep -q "^\.env$" .gitignore 2>/dev/null; then
echo " ✅ .env is in .gitignore"
else
echo " ⚠️ .env is not in .gitignore!"
fi
# Check for internal project references
echo ""
echo "Checking for internal project references..."
echo -n " Checking for project-bigfoot... "
PROJECT_BIGFOOT_COUNT=$(grep -r "project-bigfoot" --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=dist --exclude="*.lock" . 2>/dev/null | wc -l)
if [ "$PROJECT_BIGFOOT_COUNT" -gt 0 ]; then
echo "Found in $PROJECT_BIGFOOT_COUNT files (review if this should be genericized)"
else
echo "✅ Not found"
fi
# Summary
echo ""
echo "========================================="
if [ $FOUND_ISSUES -eq 0 ]; then
echo "✅ VERIFICATION PASSED!"
echo "No secrets or sensitive information found."
echo "Repository appears safe to make public."
else
echo "❌ VERIFICATION FAILED!"
echo "Found $FOUND_ISSUES issue(s) that need to be addressed."
echo "Fix these issues before making the repository public!"
fi
echo "========================================="
exit $FOUND_ISSUES