Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/workflows/secret-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Secret-scan backstop. The allowlist export is the gate; this is the seatbelt.
# Uses the gitleaks BINARY (Apache-2.0, free) — NOT gitleaks-action, which
# requires a paid GITLEAKS_LICENSE for organization repos. Scans the current tree
# (--no-git) so it blocks NEW secrets/infra strings without re-flagging old history.
name: secret-scan
on:
push:
pull_request:

jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: install gitleaks
run: |
curl -sSL -o /tmp/gl.tgz \
https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz
tar -xzf /tmp/gl.tgz -C /tmp gitleaks
sudo install /tmp/gitleaks /usr/local/bin/gitleaks
- name: scan working tree
run: gitleaks detect --source . --no-git --config .gitleaks.toml --redact --verbose

infra-strings:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: block infra / local-path leaks
run: |
set -e
patt='172\.(30|31)\.[0-9]+\.[0-9]+|/Users/[a-z0-9._-]+/|aipgcoregen|BEGIN (RSA |EC |OPENSSH |)PRIVATE KEY'
if git grep -nIE "$patt" -- . ':(exclude).gitleaks.toml' ':(exclude)**/secret-scan.yml'; then
echo "::error::infra/secret string found above — scrub before merge"; exit 1
fi
if git ls-files | grep -iE 'security_audit|audit_report'; then
echo "::error::audit report file tracked — must not ship"; exit 1
fi
echo "infra-string scan clean"
59 changes: 59 additions & 0 deletions .gitleaks.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# gitleaks config for AIPG OSS release scanning.
# Extends gitleaks' default ruleset (API keys, AWS, private keys, JWTs, ...) with
# AIPG-specific leaks that the defaults DON'T catch: internal infra, local dev
# paths, R2 buckets, on-chain addresses. Use with:
# gitleaks detect --source <repo> --config .gitleaks.toml --redact

[extend]
useDefault = true

[[rules]]
id = "aipg-internal-ip"
description = "Internal datacenter IP (Proxmox/LXC range)"
regex = '''\b(172\.(3[01])|10\.)\.\d{1,3}\.\d{1,3}\b'''
tags = ["aipg", "infra"]

[[rules]]
id = "aipg-local-dev-path"
description = "Local developer absolute path (leaks username / machine layout)"
regex = '''/Users/[a-z0-9._-]+/'''
tags = ["aipg", "infra"]

[[rules]]
id = "aipg-r2-bucket"
description = "Cloudflare R2 / internal bucket names"
regex = '''\b(aipgcoregen|aipg-transient|aipgcore[a-z0-9-]*)\b'''
tags = ["aipg", "infra"]

[[rules]]
id = "aipg-eth-private-key"
description = "EVM private key (64 hex, optionally 0x)"
regex = '''\b(0x)?[a-fA-F0-9]{64}\b'''
tags = ["aipg", "wallet"]
# Hex-64 is also sha256 hashes / git oids → high false positives. Treated as a
# REVIEW signal, not an auto-block; the human triages contracts/worker output.
[rules.allowlist]
regexes = ['''[a-f0-9]{64}'''] # lowercase-only 64hex (hashes) are usually benign
paths = ['''(?i)(test|fixture|mock|\.lock|package-lock|yarn\.lock|poetry\.lock)''']

[[rules]]
id = "aipg-mnemonic"
description = "BIP-39 mnemonic / seed phrase markers"
regex = '''(?i)(mnemonic|seed[\s_-]?phrase)\s*[:=]\s*["']?(\w+\s+){11,}'''
tags = ["aipg", "wallet"]

# Global allowlist: example/template/sample env + docs placeholders never block.
[allowlist]
description = "Non-secret placeholders, lockfiles, and the scanner's own config"
paths = [
'''(?i)\.env\.(example|template|sample)$''',
'''(?i)(^|/)(examples?|samples?)/''',
'''(?i)\.(lock)$''',
'''(?i)(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|poetry\.lock|Cargo\.lock)$''',
# The scanner's own files contain the patterns by definition — never self-flag.
'''(?i)\.gitleaks\.toml$''',
'''(?i)secret-scan\.ya?ml$''',
]
regexes = [
'''(?i)(your[-_]?api[-_]?key|example|placeholder|changeme|xxxx+|<[a-z_]+>)''',
]
2 changes: 1 addition & 1 deletion AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ result. Ships as a single PyInstaller binary with a browser setup wizard + dashb

## Local Contracts

- **Inherit org engineering standards:** `/Users/j/fix-axios-vuln/aipg-documentation/engineering-standards/`
- **Inherit org engineering standards:** `aipg-documentation/engineering-standards/`
(core + `git` + the matching language file — `python.md`).
- **This is a CLIENT of the grid, not the grid.** It speaks the grid's worker protocols only;
it never owns coordinator state. The grid's contracts live in `grid-core/grid_api`.
Expand Down
Loading
Loading