| # ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| # β check_secrets.sh β Manual secret scanner for INFJ Bot / DRIFT β | |
| # β Run this before pushing if you bypassed the pre-commit hook. β | |
| # ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| set -euo pipefail | |
| RED='\033[0;31m' | |
| YELLOW='\033[1;33m' | |
| GREEN='\033[0;32m' | |
| NC='\033[0m' | |
| FOUND=0 | |
| echo "π Scanning repository for potential secrets..." | |
| echo "" | |
| PATTERNS=( | |
| 'sk-ant-[a-zA-Z0-9]{48,}' | |
| 'sk-proj-[a-zA-Z0-9_-]{40,}' | |
| 'sk-live-[a-zA-Z0-9]{40,}' | |
| '8f13df41-d7d6-491f-aedf-785fffcaad51' | |
| 'sk-[a-zA-Z0-9]{48,}' | |
| 'AIza[0-9A-Za-z_-]{35,}' | |
| 'Bearer [a-zA-Z0-9_\-]{40,}' | |
| 'AKIA[0-9A-Z]{16}' | |
| 'BEGIN OPENSSH PRIVATE KEY' | |
| 'BEGIN RSA PRIVATE KEY' | |
| ) | |
| for pattern in "${PATTERNS[@]}"; do | |
| MATCHES=$(grep -rnHP "$pattern" --include="*.py" --include="*.md" --include="*.yaml" --include="*.yml" --include="*.sh" --include="*.json" --include="*.txt" . 2>/dev/null | grep -v ".git/" | grep -v "venv/" | grep -v "__pycache__/" || true) | |
| if [ -n "$MATCHES" ]; then | |
| echo -e "${YELLOW}β οΈ Pattern match:${NC}" | |
| echo "$MATCHES" | head -n 10 | |
| FOUND=1 | |
| fi | |
| done | |
| # Check for untracked .env files | |
| UNTRACKED_ENV=$(git ls-files --others --exclude-standard | grep -E "^\.env" || true) | |
| if [ -n "$UNTRACKED_ENV" ]; then | |
| echo -e "${YELLOW}β οΈ Untracked env files found (OK if gitignored):${NC}" | |
| echo "$UNTRACKED_ENV" | |
| fi | |
| if [ "$FOUND" -eq 0 ]; then | |
| echo -e "${GREEN}β No obvious secrets found in tracked files.${NC}" | |
| else | |
| echo "" | |
| echo -e "${RED}β Potential secrets detected. Review before pushing.${NC}" | |
| exit 1 | |
| fi | |