mirror of
https://github.com/complexcaresolutions/cms.c2sgmbh.git
synced 2026-03-17 23:14:12 +00:00
Martin Porwoll
e3987e50dc
- Hardened cron endpoints with coordination and auth improvements - Added API guards and input validation layer - Security observability and secrets health checks - Monitoring types and service improvements - PDF URL validation and newsletter unsubscribe security - Unit tests for security-critical paths Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
62 lines
1.8 KiB
Bash
Executable file
62 lines
1.8 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
|
cd "$REPO_ROOT"
|
|
|
|
REPORT_PATH="${1:-docs/reports/2026-02-17-history-scan.md}"
|
|
NOW_UTC="$(date -u +"%Y-%m-%d %H:%M:%S UTC")"
|
|
|
|
mkdir -p "$(dirname "$REPORT_PATH")"
|
|
|
|
{
|
|
echo "# Git History Security Scan"
|
|
echo
|
|
echo "- Generated: ${NOW_UTC}"
|
|
echo "- Repository: payload-cms"
|
|
echo
|
|
|
|
echo "## Summary"
|
|
echo
|
|
|
|
if git ls-files --error-unmatch backup.sql >/dev/null 2>&1; then
|
|
echo "- \`backup.sql\` is still tracked in current HEAD (critical)."
|
|
else
|
|
echo "- \`backup.sql\` is not tracked in current HEAD."
|
|
fi
|
|
|
|
backup_history="$(git log --all --date=short --pretty=format:'%h %ad %s' -- backup.sql || true)"
|
|
if [[ -n "${backup_history}" ]]; then
|
|
echo "- \`backup.sql\` exists in git history and must be treated as potentially sensitive."
|
|
else
|
|
echo "- No git history entries found for \`backup.sql\`."
|
|
fi
|
|
|
|
if command -v gitleaks >/dev/null 2>&1; then
|
|
echo "- \`gitleaks\` available: yes (run with: \`gitleaks git --redact --verbose\`)."
|
|
else
|
|
echo "- \`gitleaks\` available: no (install recommended for full-history secret scanning)."
|
|
fi
|
|
|
|
echo
|
|
echo "## backup.sql Commit History"
|
|
echo
|
|
|
|
if [[ -n "${backup_history}" ]]; then
|
|
echo '```text'
|
|
echo "${backup_history}"
|
|
echo '```'
|
|
else
|
|
echo "_No entries found._"
|
|
fi
|
|
|
|
echo
|
|
echo "## Recommended Actions"
|
|
echo
|
|
echo "1. Rotate DB credentials if \`backup.sql\` contained production or staging data."
|
|
echo "2. Rotate SMTP/API/OAuth secrets if dumps included integration credentials."
|
|
echo "3. If required by compliance, rewrite history for \`backup.sql\` (e.g. \`git filter-repo\`) and force-push."
|
|
echo "4. Enable periodic full-history scans in CI using gitleaks."
|
|
} > "$REPORT_PATH"
|
|
|
|
echo "History scan report written to ${REPORT_PATH}"
|