Marius Mutu
f42eff71a6
This commit fixes overly broad .gitignore patterns that were excluding important source code files from version control. Previously, wildcard patterns like *auth*, *token*, *secret*, *connection*, and *credential* were excluding ALL files containing these words, including critical application code. Changes: - Updated .gitignore with specific patterns for sensitive config files (*.json, *.txt, *.yml, *.yaml extensions only) - Removed broad wildcards that excluded source code files Added missing source files: - shared/auth/ (9 files): Complete authentication system - JWT handler, middleware, auth service, models, routes - reports-app/backend/app/routers/auth.py: Authentication API router - reports-app/backend/app/auth_middleware_wrapper.py: Middleware wrapper - reports-app/frontend/src/stores/auth.js: Vue.js auth store - reports-app/frontend/tests/: E2E tests and fixtures for auth - reports-app/telegram-bot/app/auth/: Telegram auth linking module - deployment/windows/scripts/Setup-ClaudeAuth.ps1: Windows deployment script - security/secrets_scanner.py: Security scanning utility These files are essential for the application to function and should have been included in the initial commit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
🔒 ROA2WEB Security Audit Implementation
📋 Overview
This directory contains comprehensive security tools for the ROA2WEB project, implemented based on the critical findings in SECURITY_AUDIT_CONTEXT.md. The implementation addresses the discovered secrets in git history and provides ongoing protection against future security violations.
🚨 Critical Issues Addressed
Secrets Found in Repository:
- Oracle Password:
ROMFASTSOFT(in multiple .env files) - User Passwords:
{"marius": "Parola81", "eli": "eli"} - SSH Private Key:
roa_oracle_server - Environment Files: Multiple .env files with production credentials
🛠️ Security Tools Implemented
1. 🔍 secrets_scanner.py
Advanced secrets detection tool with pattern-based scanning.
Features:
- Scans current files for secrets and credentials
- Optional git history scanning
- Pattern-based detection with high accuracy
- JSON report generation
- Integration ready for CI/CD
Usage:
# Basic scan
python security/secrets_scanner.py
# Scan with git history (slow but thorough)
python security/secrets_scanner.py --scan-git-history
# Save detailed report
python security/secrets_scanner.py --save-report security_report.json
2. 🧹 git_cleanup.py
Git history cleanup tool for removing secrets from repository history.
Features:
- Complete repository backup before cleanup
- Removes sensitive files from git history
- Replaces secret patterns in commits
- Verification of cleanup completion
- Detailed logging of all actions
Usage:
# Create backup only
python security/git_cleanup.py --backup
# Scan for secrets in history
python security/git_cleanup.py --scan
# Run complete cleanup (DANGEROUS - rewrites history)
python security/git_cleanup.py --cleanup
# Force cleanup without prompts
python security/git_cleanup.py --cleanup --force
3. 🪝 Git Hooks
Pre-commit and commit-msg hooks to prevent future secrets commits.
Installation:
# Install all security hooks
./security/install_hooks.sh
Features:
- pre-commit: Scans staged files for secrets before commit
- commit-msg: Validates commit messages for suspicious keywords
- Blocks commits containing credentials
- Provides actionable remediation guidance
4. 🛡️ Enhanced .gitignore
Comprehensive patterns to prevent committing sensitive files.
Added Protections:
- All environment files (except .example)
- SSH keys and certificates
- Secrets and credentials files
- Database connection files
- Production configurations
- Development tool caches
📊 Security Scanning Patterns
Critical Patterns Detected:
ORACLE_PASSWORD=*VALID_USERS=*- SSH private key headers
- AWS access keys
- Bearer tokens
- Generic password patterns
- Connection strings
Suspicious File Patterns:
*.env(except .example)*_rsa,*.key,*.pem*secret*,*credential*,*password*config.prod.*
🚀 Quick Start Guide
1. Immediate Security Scan
# Run comprehensive security scan
python security/secrets_scanner.py --save-report current_security_status.json
2. Install Git Hooks
# Prevent future secrets commits
./security/install_hooks.sh
3. (CRITICAL) Git History Cleanup
⚠️ WARNING: This rewrites git history. Coordinate with your team first!
# 1. Create backup
python security/git_cleanup.py --backup
# 2. Scan for secrets in history
python security/git_cleanup.py --scan
# 3. Run cleanup (after team coordination)
python security/git_cleanup.py --cleanup
4. Regenerate Compromised Credentials
🔑 MANDATORY: All exposed credentials must be regenerated:
- Oracle password:
ROMFASTSOFT - User passwords:
Parola81,eli - SSH key:
roa_oracle_server
📋 Security Checklist
✅ Immediate Actions (DONE):
- Enhanced root .gitignore with security patterns
- Implemented secrets scanner tool
- Created git history cleanup tools
- Installed git hooks for prevention
- Documented security procedures
🔧 Required Actions (TODO):
- CRITICAL: Regenerate Oracle password (
ROMFASTSOFT) - CRITICAL: Regenerate user passwords (
Parola81,eli) - CRITICAL: Regenerate SSH key (
roa_oracle_server) - Run git history cleanup (
git_cleanup.py --cleanup) - Force push cleaned history to all remotes
- Notify team to re-clone repository
- Update production environment with new credentials
🔒 Ongoing Security:
- Regular security scans in CI/CD pipeline
- Quarterly security audits
- Team training on secrets management
- Implement proper secrets management system
🏗️ CI/CD Integration
GitHub Actions Example:
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Security Scan
run: python security/secrets_scanner.py
Pre-commit Hook Integration:
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: secrets-scan
name: Secrets Scanner
entry: python security/secrets_scanner.py
language: system
pass_filenames: false
🆘 Emergency Response
If Secrets Are Accidentally Committed:
-
IMMEDIATE:
# Run emergency scan python security/secrets_scanner.py --scan-git-history -
URGENT:
# Regenerate exposed credentials immediately # Update production systems -
CLEANUP:
# Clean git history python security/git_cleanup.py --cleanup --force
📞 Support and Reporting
Security Issues:
- Report immediately to security team
- Use encrypted communication for sensitive details
- Follow incident response procedures
Tool Issues:
- Check logs in security/ directory
- Review tool documentation
- Test in safe environment first
📚 Best Practices
1. Secrets Management:
- Use environment variables for all secrets
- Implement proper secrets management (Vault, AWS Secrets Manager)
- Never hardcode credentials in source code
- Use
.env.examplefor configuration templates
2. Git Practices:
- Always run security scan before commits
- Use meaningful commit messages
- Review changes before staging
- Keep git history clean and professional
3. Development Workflow:
- Use separate credentials for development/testing
- Regularly rotate credentials
- Monitor for credential exposure
- Train team on security practices
🔧 Troubleshooting
Common Issues:
-
Git hooks failing:
# Reinstall hooks ./security/install_hooks.sh -
Scanner false positives:
- Review patterns in
secrets_scanner.py - Add exceptions for legitimate uses
- Update pattern matching rules
- Review patterns in
-
History cleanup failures:
- Ensure clean working directory
- Create backup before attempting
- Check git permissions and status
⚠️ CRITICAL REMINDER
The credentials found in this repository (ROMFASTSOFT, Parola81) are potentially compromised and MUST be regenerated immediately. Git history cleanup should be performed BEFORE any other development work to prevent propagation to other repository clones.
Security implementation completed: 2025-08-03
Tools version: 1.0
Next security review: 2025-09-03