MokoConsulting/moko-platform
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Releases 4 Wiki Activity
Files
46a87d2a98e487357dfd8bbb6255b3076b565ecd
moko-platform/validate/check_no_secrets.php
T
Jonathan Miller b0cc468155 feat: migrate to Gitea-only workflows and API 
- RepositorySynchronizer defaults to GiteaAdapter
- PlatformAdapterFactory points to git.mokoconsulting.tech
- All plugins reference .gitea/workflows instead of .github/workflows
- push_files.php uses Gitea API
- Common.php REPO URLs updated to Gitea
- sync_dolibarr_readmes.php updated to Gitea URLs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 17:40:18 -05:00

114 lines
3.3 KiB
PHP
Raw Blame History

#!/usr/bin/env php
<?php
/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
*
* This file is part of a Moko Consulting project.
*
* SPDX-License-Identifier: GPL-3.0-or-later
*
* FILE INFORMATION
* DEFGROUP: MokoStandards.Scripts.Validate
* INGROUP: MokoStandards
* REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
* PATH: /validate/check_no_secrets.php
* VERSION: 04.06.00
* BRIEF: Checks for potential secrets in committed files (advisory)
*/
declare(strict_types=1);
require_once __DIR__ . '/../../vendor/autoload.php';
use MokoEnterprise\CliFramework;
/**
* Scans all tracked non-binary files for common secret patterns (advisory — always exits 0).
*/
class CheckNoSecrets extends CliFramework
{
/** Regex matching suspicious key=value or key: value assignments. */
private const SECRET_PATTERN = '/(password|api[_\-]?key|secret|token|private[_\-]?key)\s*[:=]\s*["\'][^"\']{8,}/i';
/**
* Substrings that mark a line as a known-safe false positive.
* Dolibarr CSRF token functions generate nonces at runtime — not credentials.
*/
private const SAFE_SUBSTRINGS = ['newToken()', 'checkToken()', 'currentToken()'];
/** Binary file extensions to skip. */
private const BINARY_EXTENSIONS = ['jpg', 'jpeg', 'png', 'gif', 'pdf', 'zip', 'tar', 'gz'];
/**
* Configure available arguments.
*/
protected function configure(): void
{
$this->setDescription('Checks for potential secrets in committed files (advisory)');
$this->addArgument('--path', 'Repository path to check', '.');
}
/**
* Run the secrets scan (advisory — always exits 0).
*
* @return int Exit code: always 0.
*/
protected function run(): int
{
$path = $this->getArgument('--path');
$output = shell_exec('git -C ' . escapeshellarg($path) . ' ls-files 2>/dev/null') ?? '';
$all = array_values(array_filter(explode("\n", $output)));
$files = array_filter($all, function (string $f): bool {
return !in_array(strtolower(pathinfo($f, PATHINFO_EXTENSION)), self::BINARY_EXTENSIONS, true);
});
$files = array_values($files);
$total = count($files);
$found = 0;
$this->section('Scanning for secret patterns');
foreach ($files as $i => $file) {
$this->progress($i + 1, $total, $file);
$fullPath = $path . '/' . $file;
if (!is_file($fullPath)) {
continue;
}
$lines = explode("\n", (string) file_get_contents($fullPath));
$flagged = false;
foreach ($lines as $line) {
if (!preg_match(self::SECRET_PATTERN, $line)) {
continue;
}
// Skip known-safe patterns (e.g. Dolibarr CSRF token functions)
$safe = false;
foreach (self::SAFE_SUBSTRINGS as $sub) {
if (str_contains($line, $sub)) {
$safe = true;
break;
}
}
if (!$safe) {
$flagged = true;
break;
}
}
if ($flagged) {
$this->progress($i + 1, $total, '', true);
$this->status(false, $file, 'potential secret pattern detected');
$found++;
}
}
$this->progress($total, $total, '', true);
$this->printSummary($total - $found, $found, $this->elapsed());
if ($found > 0) {
$this->log('WARNING', 'Advisory — review flagged files manually');
}
return 0;
}
}
$script = new CheckNoSecrets('check_no_secrets', 'Checks for potential secrets in committed files');
exit($script->execute());
Reference in New Issue View Git Blame Copy Permalink