From 7590df83defb5b3ec919106b75936413850fbcd4 Mon Sep 17 00:00:00 2001 From: Xen Date: Mon, 6 Apr 2026 13:25:22 +0000 Subject: [PATCH] chore: add missing repo policy files (auto-enforced) Applied 7 policy files via audit-repo-policies.sh. Repo type: docs Files: Makefile .editorconfig .prettierrc .prettierignore .dockerignore .gitignore tools/secret-scan.sh --- .dockerignore | 5 ++++ .editorconfig | 15 ++++++++++ .gitignore | 10 +++++++ .prettierignore | 4 +++ .prettierrc | 6 ++++ Makefile | 39 +++++++++++++++++++++++++ tools/secret-scan.sh | 69 ++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 148 insertions(+) create mode 100644 .dockerignore create mode 100644 .editorconfig create mode 100644 .gitignore create mode 100644 .prettierignore create mode 100644 .prettierrc create mode 100644 Makefile create mode 100755 tools/secret-scan.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..af75543 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,5 @@ +.git +node_modules +coverage +*.md +!README.md diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..fddf9c1 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,15 @@ +root = true + +[*] +indent_style = space +indent_size = 4 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +[*.md] +trim_trailing_whitespace = false + +[Makefile] +indent_style = tab diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..651d4b4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +node_modules/ +coverage/ +dist/ +.env +.env.* +!.env.example +*.log +.DS_Store +*.swp +*~ diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..e56696c --- /dev/null +++ b/.prettierignore @@ -0,0 +1,4 @@ +node_modules +*.min.js +coverage +dist diff --git a/.prettierrc b/.prettierrc new file mode 100644 index 0000000..c8018ac --- /dev/null +++ b/.prettierrc @@ -0,0 +1,6 @@ +{ + "singleQuote": true, + "trailingComma": "all", + "tabWidth": 4, + "proseWrap": "always" +} diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..8a10397 --- /dev/null +++ b/Makefile @@ -0,0 +1,39 @@ +BUMP ?= patch + +.PHONY: check test lint fmt fmt-check secret-scan hooks release + +check: lint fmt-check secret-scan test + +test: + @echo "No tests configured for docs repo" + +lint: + @echo "No linter configured for docs repo" + +fmt: + @echo "No formatter configured for docs repo" + +fmt-check: + @echo "No format check configured for docs repo" + +secret-scan: + bash tools/secret-scan.sh . + +hooks: + mkdir -p .git/hooks && printf '#!/bin/sh\nmake check' > .git/hooks/pre-commit && chmod +x .git/hooks/pre-commit + +release: + @current=$$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0"); \ + major=$$(echo $$current | sed 's/^v//' | cut -d. -f1); \ + minor=$$(echo $$current | sed 's/^v//' | cut -d. -f2); \ + patch=$$(echo $$current | sed 's/^v//' | cut -d. -f3); \ + case "$(BUMP)" in \ + major) major=$$((major+1)); minor=0; patch=0 ;; \ + minor) minor=$$((minor+1)); patch=0 ;; \ + patch) patch=$$((patch+1)) ;; \ + *) echo "BUMP must be patch, minor, or major"; exit 1 ;; \ + esac; \ + next="v$$major.$$minor.$$patch"; \ + echo "Tagging $$next (was $$current)"; \ + git tag -a "$$next" -m "Release $$next"; \ + git push origin "$$next" diff --git a/tools/secret-scan.sh b/tools/secret-scan.sh new file mode 100755 index 0000000..c7e5efe --- /dev/null +++ b/tools/secret-scan.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash +# secret-scan.sh — Scans for private keys and high-entropy secrets +# Usage: bash tools/secret-scan.sh [directory] +# Uses .secret-scan-allowlist for false positives (one file path per line) + +set -e + +SCAN_DIR="${1:-.}" +ALLOWLIST=".secret-scan-allowlist" +FINDINGS=0 + +# Build find exclusions +EXCLUDES=(-not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/coverage/*" -not -path "*/dist/*") + +# Load allowlist +ALLOWLIST_PATHS=() +if [ -f "$ALLOWLIST" ]; then + while IFS= read -r line || [ -n "$line" ]; do + [[ "$line" =~ ^#.*$ || -z "$line" ]] && continue + ALLOWLIST_PATHS+=("$line") + done < "$ALLOWLIST" +fi + +is_allowed() { + local file="$1" + for allowed in "${ALLOWLIST_PATHS[@]}"; do + if [[ "$file" == *"$allowed"* ]]; then + return 0 + fi + done + return 1 +} + +echo "Scanning $SCAN_DIR for secrets..." + +# Scan for private keys +while IFS= read -r file; do + [ -f "$file" ] || continue + is_allowed "$file" && continue + if grep -qE '-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null; then + echo "FINDING [private-key]: $file" + FINDINGS=$((FINDINGS + 1)) + fi +done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f) + +# Scan for high-entropy hex strings (40+ chars) +while IFS= read -r file; do + [ -f "$file" ] || continue + is_allowed "$file" && continue + if grep -qE '[0-9a-f]{40,}' "$file" 2>/dev/null; then + # Filter out common false positives (git SHAs in lock files, etc.) + BASENAME=$(basename "$file") + if [[ "$BASENAME" != "package-lock.json" && "$BASENAME" != "*.lock" ]]; then + MATCHES=$(grep -oE '[0-9a-f]{40,}' "$file" 2>/dev/null || true) + if [ -n "$MATCHES" ]; then + echo "FINDING [high-entropy-hex]: $file" + FINDINGS=$((FINDINGS + 1)) + fi + fi + fi +done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f -not -name "package-lock.json" -not -name "*.lock") + +if [ "$FINDINGS" -gt 0 ]; then + echo "secret-scan: $FINDINGS finding(s) — FAIL" + exit 1 +else + echo "secret-scan: clean — PASS" + exit 0 +fi