phi-drift / scripts /check_secrets.sh
crexs's picture
Upload folder using huggingface_hub
914e970 verified
Raw
History Blame Contribute Delete
2.07 kB
#!/bin/bash
# ╔══════════════════════════════════════════════════════════════════════════════╗
# β•‘ check_secrets.sh β€” Manual secret scanner for INFJ Bot / DRIFT β•‘
# β•‘ Run this before pushing if you bypassed the pre-commit hook. β•‘
# β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
set -euo pipefail
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m'
FOUND=0
echo "πŸ” Scanning repository for potential secrets..."
echo ""
PATTERNS=(
'sk-ant-[a-zA-Z0-9]{48,}'
'sk-proj-[a-zA-Z0-9_-]{40,}'
'sk-live-[a-zA-Z0-9]{40,}'
'8f13df41-d7d6-491f-aedf-785fffcaad51'
'sk-[a-zA-Z0-9]{48,}'
'AIza[0-9A-Za-z_-]{35,}'
'Bearer [a-zA-Z0-9_\-]{40,}'
'AKIA[0-9A-Z]{16}'
'BEGIN OPENSSH PRIVATE KEY'
'BEGIN RSA PRIVATE KEY'
)
for pattern in "${PATTERNS[@]}"; do
MATCHES=$(grep -rnHP "$pattern" --include="*.py" --include="*.md" --include="*.yaml" --include="*.yml" --include="*.sh" --include="*.json" --include="*.txt" . 2>/dev/null | grep -v ".git/" | grep -v "venv/" | grep -v "__pycache__/" || true)
if [ -n "$MATCHES" ]; then
echo -e "${YELLOW}⚠️ Pattern match:${NC}"
echo "$MATCHES" | head -n 10
FOUND=1
fi
done
# Check for untracked .env files
UNTRACKED_ENV=$(git ls-files --others --exclude-standard | grep -E "^\.env" || true)
if [ -n "$UNTRACKED_ENV" ]; then
echo -e "${YELLOW}⚠️ Untracked env files found (OK if gitignored):${NC}"
echo "$UNTRACKED_ENV"
fi
if [ "$FOUND" -eq 0 ]; then
echo -e "${GREEN}βœ… No obvious secrets found in tracked files.${NC}"
else
echo ""
echo -e "${RED}❌ Potential secrets detected. Review before pushing.${NC}"
exit 1
fi