Codex
49 lines
1.3 KiB
PowerShell
49 lines
1.3 KiB
PowerShell
$ErrorActionPreference = "Stop"
|
|
|
|
$patterns = @(
|
|
"DB_PASSWORD\s*=\s*(?!<)",
|
|
"JWT_SECRET\s*=\s*(?!<)",
|
|
"WECHAT_SECRET\s*=\s*(?!<)",
|
|
"PRIVATE_KEY",
|
|
"api_key\s*[:=]\s*(?!<)",
|
|
"password\s*[:=]\s*(?!<)"
|
|
)
|
|
|
|
$excluded = @("\.git\", "node_modules", "dist", "build")
|
|
$excludedFiles = @(
|
|
"V4.8.md",
|
|
"scripts\dev\windows\check-secrets.ps1"
|
|
)
|
|
$hits = @()
|
|
|
|
$candidateFiles = @()
|
|
(& git -c core.quotePath=false ls-files --cached --others --exclude-standard) | ForEach-Object {
|
|
if ($_ -and (Test-Path $_ -PathType Leaf)) {
|
|
$candidateFiles += (Resolve-Path $_).Path
|
|
}
|
|
}
|
|
|
|
$candidateFiles | ForEach-Object {
|
|
$path = $_
|
|
foreach ($skip in $excluded) {
|
|
if ($path -match [regex]::Escape($skip)) { return }
|
|
}
|
|
$relativePath = Resolve-Path -Relative $path
|
|
$relativePath = $relativePath.TrimStart('.', '\', '/')
|
|
if ($excludedFiles -contains $relativePath) { return }
|
|
$text = Get-Content -Raw -ErrorAction SilentlyContinue $path
|
|
foreach ($pattern in $patterns) {
|
|
if ($text -match $pattern) {
|
|
$hits += $path
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($hits.Count -gt 0) {
|
|
$hits | Sort-Object -Unique | ForEach-Object { Write-Host "SECRET-CHECK-HIT: $_" }
|
|
throw "Potential secrets found. Please review and redact."
|
|
}
|
|
|
|
Write-Host "PASS: no plaintext secret pattern found."
|