romfast/roa2web-service-auto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
roa2web-service-auto/security/git_hooks/pre-commit
Marius Mutu 6b13ffa183 Initial commit: ROA2WEB - FastAPI + Vue.js + Telegram Bot 
Modern ERP Reports Application with microservices architecture

Tech Stack:
- Backend: FastAPI + python-oracledb (Oracle DB integration)
- Frontend: Vue.js 3 + PrimeVue + Vite
- Telegram Bot: python-telegram-bot + SQLite
- Infrastructure: Shared database pool, JWT authentication, SSH tunnel

Features:
- FastAPI backend with async Oracle connection pool
- Vue.js 3 responsive frontend with PrimeVue components
- Telegram bot alternative interface
- Microservices architecture with shared components
- Complete deployment support (Linux Docker + Windows IIS)
- Comprehensive testing (Playwright E2E + pytest)

Repository Structure:
- reports-app/ - Main application (backend, frontend, telegram-bot)
- shared/ - Shared components (database pool, auth, utils)
- deployment/ - Deployment scripts (Linux & Windows)
- docs/ - Project documentation
- security/ - Security scanning and git hooks
2025-10-25 14:55:08 +03:00

159 lines
3.9 KiB
Bash
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
#
# 🔒 ROA2WEB Pre-commit Hook
# Prevents committing files with secrets and credentials
#
# Installation:
# cp security/git_hooks/pre-commit .git/hooks/pre-commit
# chmod +x .git/hooks/pre-commit
#
set -e
# Colors for output
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
echo -e "${GREEN}🔒 ROA2WEB Security Pre-commit Check${NC}"
# Critical patterns to detect
CRITICAL_PATTERNS=(
"ORACLE_PASSWORD"
"ROMFASTSOFT"
"Parola81"
"VALID_USERS.*password"
"-----BEGIN.*PRIVATE KEY-----"
"AKIA[0-9A-Z]{16}" # AWS Access Key
"Bearer [A-Za-z0-9\-\._~\+\/]+=*" # Bearer tokens
)
# Suspicious file patterns
SUSPICIOUS_FILES=(
"\.env$"
"_rsa$"
"\.pem$"
"\.key$"
"secret"
"credential"
"password"
"config\.prod"
)
# Function to check if file should be scanned
should_scan_file() {
local file="$1"
# Skip deleted files
if [[ ! -f "$file" ]]; then
return 1
fi
# Skip binary files
if file "$file" | grep -q binary; then
return 1
fi
# Skip safe extensions
case "$file" in
*.png|*.jpg|*.jpeg|*.gif|*.pdf|*.zip|*.tar.gz|*.ico) return 1 ;;
esac
return 0
}
# Function to scan file content for secrets
scan_file_content() {
local file="$1"
local violations=0
for pattern in "${CRITICAL_PATTERNS[@]}"; do
if grep -qiE "$pattern" "$file" 2>/dev/null; then
echo -e "${RED}❌ CRITICAL: Secret pattern detected in $file${NC}"
echo -e "${YELLOW} Pattern: $pattern${NC}"
grep -inE "$pattern" "$file" | head -3 | while read line; do
echo -e "${YELLOW} $line${NC}"
done
violations=$((violations + 1))
fi
done
return $violations
}
# Function to check suspicious filenames
check_suspicious_filename() {
local file="$1"
for pattern in "${SUSPICIOUS_FILES[@]}"; do
if echo "$file" | grep -qiE "$pattern"; then
# Allow .env.example files
if echo "$file" | grep -q "\.example$"; then
continue
fi
echo -e "${RED}❌ SUSPICIOUS: Potentially sensitive file: $file${NC}"
echo -e "${YELLOW} Pattern: $pattern${NC}"
return 1
fi
done
return 0
}
# Get list of staged files
staged_files=$(git diff --cached --name-only --diff-filter=ACM)
if [[ -z "$staged_files" ]]; then
echo -e "${GREEN}✅ No staged files to check${NC}"
exit 0
fi
echo "🔍 Scanning staged files for secrets..."
total_violations=0
scanned_files=0
# Check each staged file
while IFS= read -r file; do
if should_scan_file "$file"; then
scanned_files=$((scanned_files + 1))
# Check filename
if ! check_suspicious_filename "$file"; then
total_violations=$((total_violations + 1))
fi
# Check content
scan_file_content "$file"
violations=$?
total_violations=$((total_violations + violations))
fi
done <<< "$staged_files"
echo "📊 Scanned $scanned_files files"
# Check if any violations found
if [[ $total_violations -gt 0 ]]; then
echo -e "${RED}"
echo "=========================================="
echo "🚨 COMMIT BLOCKED - SECURITY VIOLATIONS!"
echo "=========================================="
echo -e "${NC}"
echo "Found $total_violations security violations"
echo ""
echo "🔧 Actions to take:"
echo "1. Remove sensitive data from files"
echo "2. Move secrets to environment variables"
echo "3. Add files to .gitignore if needed"
echo "4. Regenerate any exposed credentials"
echo ""
echo " To bypass this check (NOT RECOMMENDED):"
echo " git commit --no-verify"
echo ""
exit 1
fi
echo -e "${GREEN}✅ Security check passed - no violations found${NC}"
exit 0
Reference in New Issue View Git Blame Copy Permalink