Marius Mutu
6b13ffa183
Modern ERP Reports Application with microservices architecture Tech Stack: - Backend: FastAPI + python-oracledb (Oracle DB integration) - Frontend: Vue.js 3 + PrimeVue + Vite - Telegram Bot: python-telegram-bot + SQLite - Infrastructure: Shared database pool, JWT authentication, SSH tunnel Features: - FastAPI backend with async Oracle connection pool - Vue.js 3 responsive frontend with PrimeVue components - Telegram bot alternative interface - Microservices architecture with shared components - Complete deployment support (Linux Docker + Windows IIS) - Comprehensive testing (Playwright E2E + pytest) Repository Structure: - reports-app/ - Main application (backend, frontend, telegram-bot) - shared/ - Shared components (database pool, auth, utils) - deployment/ - Deployment scripts (Linux & Windows) - docs/ - Project documentation - security/ - Security scanning and git hooks
🔒 ROA2WEB Security Audit Implementation
📋 Overview
This directory contains comprehensive security tools for the ROA2WEB project, implemented based on the critical findings in SECURITY_AUDIT_CONTEXT.md. The implementation addresses the discovered secrets in git history and provides ongoing protection against future security violations.
🚨 Critical Issues Addressed
Secrets Found in Repository:
- Oracle Password:
ROMFASTSOFT(in multiple .env files) - User Passwords:
{"marius": "Parola81", "eli": "eli"} - SSH Private Key:
roa_oracle_server - Environment Files: Multiple .env files with production credentials
🛠️ Security Tools Implemented
1. 🔍 secrets_scanner.py
Advanced secrets detection tool with pattern-based scanning.
Features:
- Scans current files for secrets and credentials
- Optional git history scanning
- Pattern-based detection with high accuracy
- JSON report generation
- Integration ready for CI/CD
Usage:
# Basic scan
python security/secrets_scanner.py
# Scan with git history (slow but thorough)
python security/secrets_scanner.py --scan-git-history
# Save detailed report
python security/secrets_scanner.py --save-report security_report.json
2. 🧹 git_cleanup.py
Git history cleanup tool for removing secrets from repository history.
Features:
- Complete repository backup before cleanup
- Removes sensitive files from git history
- Replaces secret patterns in commits
- Verification of cleanup completion
- Detailed logging of all actions
Usage:
# Create backup only
python security/git_cleanup.py --backup
# Scan for secrets in history
python security/git_cleanup.py --scan
# Run complete cleanup (DANGEROUS - rewrites history)
python security/git_cleanup.py --cleanup
# Force cleanup without prompts
python security/git_cleanup.py --cleanup --force
3. 🪝 Git Hooks
Pre-commit and commit-msg hooks to prevent future secrets commits.
Installation:
# Install all security hooks
./security/install_hooks.sh
Features:
- pre-commit: Scans staged files for secrets before commit
- commit-msg: Validates commit messages for suspicious keywords
- Blocks commits containing credentials
- Provides actionable remediation guidance
4. 🛡️ Enhanced .gitignore
Comprehensive patterns to prevent committing sensitive files.
Added Protections:
- All environment files (except .example)
- SSH keys and certificates
- Secrets and credentials files
- Database connection files
- Production configurations
- Development tool caches
📊 Security Scanning Patterns
Critical Patterns Detected:
ORACLE_PASSWORD=*VALID_USERS=*- SSH private key headers
- AWS access keys
- Bearer tokens
- Generic password patterns
- Connection strings
Suspicious File Patterns:
*.env(except .example)*_rsa,*.key,*.pem*secret*,*credential*,*password*config.prod.*
🚀 Quick Start Guide
1. Immediate Security Scan
# Run comprehensive security scan
python security/secrets_scanner.py --save-report current_security_status.json
2. Install Git Hooks
# Prevent future secrets commits
./security/install_hooks.sh
3. (CRITICAL) Git History Cleanup
⚠️ WARNING: This rewrites git history. Coordinate with your team first!
# 1. Create backup
python security/git_cleanup.py --backup
# 2. Scan for secrets in history
python security/git_cleanup.py --scan
# 3. Run cleanup (after team coordination)
python security/git_cleanup.py --cleanup
4. Regenerate Compromised Credentials
🔑 MANDATORY: All exposed credentials must be regenerated:
- Oracle password:
ROMFASTSOFT - User passwords:
Parola81,eli - SSH key:
roa_oracle_server
📋 Security Checklist
✅ Immediate Actions (DONE):
- Enhanced root .gitignore with security patterns
- Implemented secrets scanner tool
- Created git history cleanup tools
- Installed git hooks for prevention
- Documented security procedures
🔧 Required Actions (TODO):
- CRITICAL: Regenerate Oracle password (
ROMFASTSOFT) - CRITICAL: Regenerate user passwords (
Parola81,eli) - CRITICAL: Regenerate SSH key (
roa_oracle_server) - Run git history cleanup (
git_cleanup.py --cleanup) - Force push cleaned history to all remotes
- Notify team to re-clone repository
- Update production environment with new credentials
🔒 Ongoing Security:
- Regular security scans in CI/CD pipeline
- Quarterly security audits
- Team training on secrets management
- Implement proper secrets management system
🏗️ CI/CD Integration
GitHub Actions Example:
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Security Scan
run: python security/secrets_scanner.py
Pre-commit Hook Integration:
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: secrets-scan
name: Secrets Scanner
entry: python security/secrets_scanner.py
language: system
pass_filenames: false
🆘 Emergency Response
If Secrets Are Accidentally Committed:
-
IMMEDIATE:
# Run emergency scan python security/secrets_scanner.py --scan-git-history -
URGENT:
# Regenerate exposed credentials immediately # Update production systems -
CLEANUP:
# Clean git history python security/git_cleanup.py --cleanup --force
📞 Support and Reporting
Security Issues:
- Report immediately to security team
- Use encrypted communication for sensitive details
- Follow incident response procedures
Tool Issues:
- Check logs in security/ directory
- Review tool documentation
- Test in safe environment first
📚 Best Practices
1. Secrets Management:
- Use environment variables for all secrets
- Implement proper secrets management (Vault, AWS Secrets Manager)
- Never hardcode credentials in source code
- Use
.env.examplefor configuration templates
2. Git Practices:
- Always run security scan before commits
- Use meaningful commit messages
- Review changes before staging
- Keep git history clean and professional
3. Development Workflow:
- Use separate credentials for development/testing
- Regularly rotate credentials
- Monitor for credential exposure
- Train team on security practices
🔧 Troubleshooting
Common Issues:
-
Git hooks failing:
# Reinstall hooks ./security/install_hooks.sh -
Scanner false positives:
- Review patterns in
secrets_scanner.py - Add exceptions for legitimate uses
- Update pattern matching rules
- Review patterns in
-
History cleanup failures:
- Ensure clean working directory
- Create backup before attempting
- Check git permissions and status
⚠️ CRITICAL REMINDER
The credentials found in this repository (ROMFASTSOFT, Parola81) are potentially compromised and MUST be regenerated immediately. Git history cleanup should be performed BEFORE any other development work to prevent propagation to other repository clones.
Security implementation completed: 2025-08-03
Tools version: 1.0
Next security review: 2025-09-03