21f6577592
- Migrate from Vite to Next.js 15 for server-side API support - Add dynamic API route at /api/filaments that fetches from Confluence - Implement security measures: - API credentials only accessible server-side - Security scan script to detect credential leaks - Tests to ensure no sensitive data exposure - Build-time security checks in CI/CD - Update AWS Amplify configuration for Next.js deployment - Update Terraform to use WEB_COMPUTE platform for Next.js - Add Jest tests for API security - Remove static JSON approach in favor of dynamic API This provides real-time data updates while keeping credentials secure on the server. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
91 lines
2.4 KiB
JavaScript
91 lines
2.4 KiB
JavaScript
const fs = require('fs');
|
|
const path = require('path');
|
|
|
|
// Patterns that might indicate leaked credentials
|
|
const sensitivePatterns = [
|
|
/ATATT[A-Za-z0-9+/=]{100,}/g, // Confluence tokens
|
|
/ghp_[A-Za-z0-9]{36,}/g, // GitHub tokens
|
|
/api[_-]?key[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
|
|
/token[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
|
|
/password[_-]?[=:]\s*["']?[^\s"']{8,}/gi,
|
|
/secret[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
|
|
];
|
|
|
|
// Files to exclude from scanning
|
|
const excludePatterns = [
|
|
/node_modules/,
|
|
/\.git/,
|
|
/\.next/,
|
|
/dist/,
|
|
/build/,
|
|
/terraform\.tfvars$/,
|
|
/\.env/,
|
|
/security-check\.js$/,
|
|
];
|
|
|
|
function scanFile(filePath) {
|
|
const content = fs.readFileSync(filePath, 'utf8');
|
|
const issues = [];
|
|
|
|
sensitivePatterns.forEach(pattern => {
|
|
const matches = content.match(pattern);
|
|
if (matches) {
|
|
matches.forEach(match => {
|
|
// Only flag if it's not a placeholder or example
|
|
if (!match.includes('example') && !match.includes('YOUR_') && !match.includes('xxx')) {
|
|
issues.push({
|
|
file: filePath,
|
|
pattern: pattern.source,
|
|
match: match.substring(0, 20) + '...',
|
|
});
|
|
}
|
|
});
|
|
}
|
|
});
|
|
|
|
return issues;
|
|
}
|
|
|
|
function scanDirectory(dir) {
|
|
const issues = [];
|
|
|
|
function walk(currentPath) {
|
|
const entries = fs.readdirSync(currentPath, { withFileTypes: true });
|
|
|
|
for (const entry of entries) {
|
|
const fullPath = path.join(currentPath, entry.name);
|
|
const relativePath = path.relative(process.cwd(), fullPath);
|
|
|
|
// Skip excluded paths
|
|
if (excludePatterns.some(pattern => pattern.test(relativePath))) {
|
|
continue;
|
|
}
|
|
|
|
if (entry.isDirectory()) {
|
|
walk(fullPath);
|
|
} else if (entry.isFile() && /\.(js|ts|jsx|tsx|json|yml|yaml|md)$/.test(entry.name)) {
|
|
const fileIssues = scanFile(fullPath);
|
|
issues.push(...fileIssues);
|
|
}
|
|
}
|
|
}
|
|
|
|
walk(dir);
|
|
return issues;
|
|
}
|
|
|
|
// Run the scan
|
|
console.log('🔍 Scanning for potential credential leaks...\n');
|
|
const issues = scanDirectory(process.cwd());
|
|
|
|
if (issues.length > 0) {
|
|
console.error('❌ Found potential credential leaks:\n');
|
|
issues.forEach(issue => {
|
|
console.error(`File: ${issue.file}`);
|
|
console.error(`Pattern: ${issue.pattern}`);
|
|
console.error(`Match: ${issue.match}\n`);
|
|
});
|
|
process.exit(1);
|
|
} else {
|
|
console.log('✅ No credential leaks detected');
|
|
} |