chore: add missing repo policy files (auto-enforced)
Applied 7 policy files via audit-repo-policies.sh. Repo type: docs Files: Makefile .editorconfig .prettierrc .prettierignore .dockerignore .gitignore tools/secret-scan.sh
This commit is contained in:
Xen
5
.dockerignore
Normal file
5
.dockerignore
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
.git
|
||||||
|
node_modules
|
||||||
|
coverage
|
||||||
|
*.md
|
||||||
|
!README.md
|
||||||
15
.editorconfig
Normal file
15
.editorconfig
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
root = true
|
||||||
|
|
||||||
|
[*]
|
||||||
|
indent_style = space
|
||||||
|
indent_size = 4
|
||||||
|
end_of_line = lf
|
||||||
|
charset = utf-8
|
||||||
|
trim_trailing_whitespace = true
|
||||||
|
insert_final_newline = true
|
||||||
|
|
||||||
|
[*.md]
|
||||||
|
trim_trailing_whitespace = false
|
||||||
|
|
||||||
|
[Makefile]
|
||||||
|
indent_style = tab
|
||||||
10
.gitignore
vendored
Normal file
10
.gitignore
vendored
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
node_modules/
|
||||||
|
coverage/
|
||||||
|
dist/
|
||||||
|
.env
|
||||||
|
.env.*
|
||||||
|
!.env.example
|
||||||
|
*.log
|
||||||
|
.DS_Store
|
||||||
|
*.swp
|
||||||
|
*~
|
||||||
4
.prettierignore
Normal file
4
.prettierignore
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
node_modules
|
||||||
|
*.min.js
|
||||||
|
coverage
|
||||||
|
dist
|
||||||
6
.prettierrc
Normal file
6
.prettierrc
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
{
|
||||||
|
"singleQuote": true,
|
||||||
|
"trailingComma": "all",
|
||||||
|
"tabWidth": 4,
|
||||||
|
"proseWrap": "always"
|
||||||
|
}
|
||||||
39
Makefile
Normal file
39
Makefile
Normal file
@@ -0,0 +1,39 @@
|
|||||||
|
BUMP ?= patch
|
||||||
|
|
||||||
|
.PHONY: check test lint fmt fmt-check secret-scan hooks release
|
||||||
|
|
||||||
|
check: lint fmt-check secret-scan test
|
||||||
|
|
||||||
|
test:
|
||||||
|
@echo "No tests configured for docs repo"
|
||||||
|
|
||||||
|
lint:
|
||||||
|
@echo "No linter configured for docs repo"
|
||||||
|
|
||||||
|
fmt:
|
||||||
|
@echo "No formatter configured for docs repo"
|
||||||
|
|
||||||
|
fmt-check:
|
||||||
|
@echo "No format check configured for docs repo"
|
||||||
|
|
||||||
|
secret-scan:
|
||||||
|
bash tools/secret-scan.sh .
|
||||||
|
|
||||||
|
hooks:
|
||||||
|
mkdir -p .git/hooks && printf '#!/bin/sh\nmake check' > .git/hooks/pre-commit && chmod +x .git/hooks/pre-commit
|
||||||
|
|
||||||
|
release:
|
||||||
|
@current=$$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0"); \
|
||||||
|
major=$$(echo $$current | sed 's/^v//' | cut -d. -f1); \
|
||||||
|
minor=$$(echo $$current | sed 's/^v//' | cut -d. -f2); \
|
||||||
|
patch=$$(echo $$current | sed 's/^v//' | cut -d. -f3); \
|
||||||
|
case "$(BUMP)" in \
|
||||||
|
major) major=$$((major+1)); minor=0; patch=0 ;; \
|
||||||
|
minor) minor=$$((minor+1)); patch=0 ;; \
|
||||||
|
patch) patch=$$((patch+1)) ;; \
|
||||||
|
*) echo "BUMP must be patch, minor, or major"; exit 1 ;; \
|
||||||
|
esac; \
|
||||||
|
next="v$$major.$$minor.$$patch"; \
|
||||||
|
echo "Tagging $$next (was $$current)"; \
|
||||||
|
git tag -a "$$next" -m "Release $$next"; \
|
||||||
|
git push origin "$$next"
|
||||||
69
tools/secret-scan.sh
Executable file
69
tools/secret-scan.sh
Executable file
@@ -0,0 +1,69 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# secret-scan.sh — Scans for private keys and high-entropy secrets
|
||||||
|
# Usage: bash tools/secret-scan.sh [directory]
|
||||||
|
# Uses .secret-scan-allowlist for false positives (one file path per line)
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
SCAN_DIR="${1:-.}"
|
||||||
|
ALLOWLIST=".secret-scan-allowlist"
|
||||||
|
FINDINGS=0
|
||||||
|
|
||||||
|
# Build find exclusions
|
||||||
|
EXCLUDES=(-not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/coverage/*" -not -path "*/dist/*")
|
||||||
|
|
||||||
|
# Load allowlist
|
||||||
|
ALLOWLIST_PATHS=()
|
||||||
|
if [ -f "$ALLOWLIST" ]; then
|
||||||
|
while IFS= read -r line || [ -n "$line" ]; do
|
||||||
|
[[ "$line" =~ ^#.*$ || -z "$line" ]] && continue
|
||||||
|
ALLOWLIST_PATHS+=("$line")
|
||||||
|
done < "$ALLOWLIST"
|
||||||
|
fi
|
||||||
|
|
||||||
|
is_allowed() {
|
||||||
|
local file="$1"
|
||||||
|
for allowed in "${ALLOWLIST_PATHS[@]}"; do
|
||||||
|
if [[ "$file" == *"$allowed"* ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "Scanning $SCAN_DIR for secrets..."
|
||||||
|
|
||||||
|
# Scan for private keys
|
||||||
|
while IFS= read -r file; do
|
||||||
|
[ -f "$file" ] || continue
|
||||||
|
is_allowed "$file" && continue
|
||||||
|
if grep -qE '-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null; then
|
||||||
|
echo "FINDING [private-key]: $file"
|
||||||
|
FINDINGS=$((FINDINGS + 1))
|
||||||
|
fi
|
||||||
|
done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f)
|
||||||
|
|
||||||
|
# Scan for high-entropy hex strings (40+ chars)
|
||||||
|
while IFS= read -r file; do
|
||||||
|
[ -f "$file" ] || continue
|
||||||
|
is_allowed "$file" && continue
|
||||||
|
if grep -qE '[0-9a-f]{40,}' "$file" 2>/dev/null; then
|
||||||
|
# Filter out common false positives (git SHAs in lock files, etc.)
|
||||||
|
BASENAME=$(basename "$file")
|
||||||
|
if [[ "$BASENAME" != "package-lock.json" && "$BASENAME" != "*.lock" ]]; then
|
||||||
|
MATCHES=$(grep -oE '[0-9a-f]{40,}' "$file" 2>/dev/null || true)
|
||||||
|
if [ -n "$MATCHES" ]; then
|
||||||
|
echo "FINDING [high-entropy-hex]: $file"
|
||||||
|
FINDINGS=$((FINDINGS + 1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f -not -name "package-lock.json" -not -name "*.lock")
|
||||||
|
|
||||||
|
if [ "$FINDINGS" -gt 0 ]; then
|
||||||
|
echo "secret-scan: $FINDINGS finding(s) — FAIL"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "secret-scan: clean — PASS"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
Reference in New Issue
Block a user