24 lines
1 KiB
Bash
Executable file
24 lines
1 KiB
Bash
Executable file
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
echo "=== Config File Sanitization ==="
|
|
|
|
# Remove any accidentally committed passwords/keys (check only, don't auto-fix)
|
|
echo "Checking for potential passwords in configs..."
|
|
if grep -r "password:.*[^*]" configs/ --include="*.yaml" --include="*.yml" 2>/dev/null | grep -v "example\|dummy\|changeme\|your_\|\[REDACTED\]"; then
|
|
echo "WARNING: Potential passwords found in configs (review above)"
|
|
fi
|
|
|
|
# Ensure all non-example configs have secure permissions
|
|
find configs/ -type f \( -name "*.yaml" -o -name "*.yml" -o -name "*.toml" \) ! -name "*example*" ! -name "*schema*" -exec chmod 600 {} \; 2>/dev/null || true
|
|
|
|
# Remove temp config files
|
|
rm -f configs/.tmp.* 2>/dev/null || true
|
|
rm -f configs/api/.local.* 2>/dev/null || true
|
|
|
|
# Validate no real credentials in examples
|
|
if grep -rE "(sk-[a-zA-Z0-9]{20,}|password: [^\"'*]+[^*])" configs/examples/ 2>/dev/null | grep -v "example\|dummy\|changeme\|your_"; then
|
|
echo "WARNING: Potential real credentials found in example configs!"
|
|
fi
|
|
|
|
echo "Config sanitization complete"
|