tinqs/studio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
studio/services/bot/scripts/security-check.sh
T
ozan a81a450e7e feat: monorepo consolidation — merge CLI, bot, admin, team-tool, website, docs, runner, proxy 
Merged into tinqs/studio:
- cmd/tinqs-cli/    — tinqs-cli (Go binary, from bot/cli)
- cmd/tea/          — Gitea CLI tool (from tinqs/cli-tea)
- services/bot/     — Bot service (from tinqs-ltd/bot on git.arikigame.com)
- services/admin/   — Admin panel (from tinqs/admin)
- services/team-tool/ — Team Tool (from tinqs/team-tool)
- services/proxy/   — tinqs-proxy (from bot/proxy)
- web/landing/      — tinqs.com website (from tinqs/website)
- web/docs/         — Platform docs (from tinqs/docs)
- web/blog/         — Blog (placeholder)
- runner/           — Ephemeral CI runner (from tinqs/runner)

All source repos will be deleted after verification.
2026-05-22 04:55:50 +00:00

131 lines
3.7 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
set -euo pipefail
FAILED=0
WARNINGS=()
red() { echo -e "\033[0;31m$1\033[0m"; }
green() { echo -e "\033[0;32m$1\033[0m"; }
yellow() { echo -e "\033[0;33m$1\033[0m"; }
echo "========================================="
echo " AGENTIC SECURITY SCAN — taco-bot"
echo "========================================="
echo ""
# --- 1. Check for hardcoded secrets ---
echo "→ Scanning for secrets and API keys..."
SECRET_PATTERNS=(
'AKIA[0-9A-Z]{16}'
'sk-[a-zA-Z0-9]{20,}'
'ghp_[a-zA-Z0-9]{36}'
'gho_[a-zA-Z0-9]{36}'
'github_pat_[a-zA-Z0-9_]{82}'
'xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]+'
'sk_live_[a-zA-Z0-9]+'
'AIza[0-9A-Za-z_-]{35}'
'password\s*[:=]\s*["\x27][^"\x27]{8,}'
'secret\s*[:=]\s*["\x27][^"\x27]{8,}'
)
for pattern in "${SECRET_PATTERNS[@]}"; do
HITS=$(grep -rn --include='*.ts' --include='*.tsx' --include='*.js' --include='*.json' --include='*.md' --include='*.html' \
-E "$pattern" . \
--exclude-dir=node_modules --exclude-dir=.next --exclude-dir=.git --exclude-dir=.vercel \
--exclude='.env' --exclude='.env.local.example' --exclude='security-check.sh' --exclude='SOUL.md' 2>/dev/null || true)
if [ -n "$HITS" ]; then
red " BLOCKED: Potential secret found!"
echo "$HITS"
FAILED=1
fi
done
if [ "$FAILED" -eq 0 ]; then
green " ✓ No secrets detected"
fi
# --- 2. Check for .env files that shouldn't be committed ---
echo ""
echo "→ Checking for committed .env files..."
ENV_FILES=$(git ls-files '.env.local' '.env.production.local' '.env*.local' 2>/dev/null || true)
if [ -n "$ENV_FILES" ]; then
red " BLOCKED: .env.local file committed to repo! (should be gitignored)"
echo "$ENV_FILES"
FAILED=1
else
green " ✓ No .env.local files in repo"
fi
# --- 3. Check for private URLs / internal IPs ---
echo ""
echo "→ Scanning for internal URLs and private IPs..."
INTERNAL_HITS=$(grep -rn --include='*.ts' --include='*.tsx' --include='*.js' --include='*.html' \
-E '(localhost|127\.0\.0\.1|192\.168\.|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[01])\.)' . \
--exclude-dir=node_modules --exclude-dir=.next --exclude-dir=.git --exclude-dir=.vercel \
--exclude='security-check.sh' 2>/dev/null || true)
if [ -n "$INTERNAL_HITS" ]; then
yellow " ⚠ Internal URLs found (review manually):"
echo "$INTERNAL_HITS"
WARNINGS+=("Internal URLs detected")
else
green " ✓ No internal URLs"
fi
# --- 4. Check dependencies ---
echo ""
echo "→ Checking dependencies..."
if [ -f "package-lock.json" ]; then
AUDIT_OUTPUT=$(npm audit --json 2>/dev/null || true)
CRITICAL=$(echo "$AUDIT_OUTPUT" | grep -o '"critical":[0-9]*' | head -1 | cut -d: -f2 || echo "0")
HIGH=$(echo "$AUDIT_OUTPUT" | grep -o '"high":[0-9]*' | head -1 | cut -d: -f2 || echo "0")
if [ "${CRITICAL:-0}" -gt 0 ]; then
red " BLOCKED: $CRITICAL critical vulnerabilities"
FAILED=1
elif [ "${HIGH:-0}" -gt 0 ]; then
yellow "$HIGH high-severity vulnerabilities"
WARNINGS+=("$HIGH high-severity npm vulnerabilities")
else
green " ✓ No critical/high vulnerabilities"
fi
fi
# --- 5. Production build (Next.js) ---
echo ""
echo "→ Running next build..."
if npm run build > /tmp/build-output.txt 2>&1; then
green " ✓ Build succeeded"
else
red " BLOCKED: Build failed!"
tail -30 /tmp/build-output.txt
FAILED=1
fi
# --- Summary ---
echo ""
echo "========================================="
if [ "$FAILED" -ne 0 ]; then
red " ✗ DEPLOYMENT BLOCKED"
red " Fix the issues above and push again."
echo "========================================="
exit 1
fi
if [ ${#WARNINGS[@]} -gt 0 ]; then
yellow " ⚠ PASSED WITH WARNINGS"
for w in "${WARNINGS[@]}"; do
yellow " - $w"
done
else
green " ✓ ALL CHECKS PASSED"
fi
echo "========================================="
exit 0
Reference in New Issue View Git Blame Copy Permalink