forked from claude-did-this/claude-hub
7e545475d0
Replace environment variable credentials with secure file-based mounting to prevent runtime credential exposure that was causing security leaks. Key security improvements: - Docker secrets integration for credential mounting - Secure credential loader utility (secureCredentials.js) - Enhanced logging redaction for all credential types - Pre-commit security scanning with multiple tools - Automated security audit workflow and scripts - File-based credentials with proper 600 permissions Services updated: - githubController.js: Use secure credentials for webhook verification - claudeService.js: Use secure credentials for GitHub/Anthropic APIs - githubService.js: Use secure credentials for GitHub API calls - logger.js: Enhanced redaction patterns for all credential types New security infrastructure: - ./scripts/setup/setup-secure-credentials.sh: Setup script for secure credentials - ./scripts/security/credential-audit.sh: Comprehensive security audit - .github/workflows/security-audit.yml: Automated security scanning - docker-compose.yml: Updated to use Docker secrets by default - k8s/secrets.yaml: Kubernetes secrets configuration - systemd/claude-webhook.service: Systemd service configuration This eliminates credential exposure in: - Environment variables and process lists - Container logs and debug output - Git commits and PR comments - Runtime error messages 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>