wylab/claude-hub
1
0
Fork 0
forked from claude-did-this/claude-hub
Code Issues 1 Pull Requests Activity
Files
7e545475d0c51b04f2df1c16fbc2c6d4d47dde3a
claude-hub/.pre-commit-config.yaml
Jonathan Flatt 7e545475d0 security: Implement comprehensive credential protection system 
Replace environment variable credentials with secure file-based mounting
to prevent runtime credential exposure that was causing security leaks.

Key security improvements:
- Docker secrets integration for credential mounting
- Secure credential loader utility (secureCredentials.js)
- Enhanced logging redaction for all credential types
- Pre-commit security scanning with multiple tools
- Automated security audit workflow and scripts
- File-based credentials with proper 600 permissions

Services updated:
- githubController.js: Use secure credentials for webhook verification
- claudeService.js: Use secure credentials for GitHub/Anthropic APIs
- githubService.js: Use secure credentials for GitHub API calls
- logger.js: Enhanced redaction patterns for all credential types

New security infrastructure:
- ./scripts/setup/setup-secure-credentials.sh: Setup script for secure credentials
- ./scripts/security/credential-audit.sh: Comprehensive security audit
- .github/workflows/security-audit.yml: Automated security scanning
- docker-compose.yml: Updated to use Docker secrets by default
- k8s/secrets.yaml: Kubernetes secrets configuration
- systemd/claude-webhook.service: Systemd service configuration

This eliminates credential exposure in:
- Environment variables and process lists
- Container logs and debug output
- Git commits and PR comments
- Runtime error messages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-05-21 23:03:07 -05:00

39 lines
1.4 KiB
YAML
Raw Blame History

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-added-large-files
- id: check-json
- id: check-merge-conflict
- id: check-executables-have-shebangs
- id: check-shebang-scripts-are-executable
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
exclude: node_modules/
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.1
hooks:
- id: gitleaks
- repo: https://github.com/thoughtworks/talisman
rev: v1.32.0
hooks:
- id: talisman-commit
entry: cmd --githook pre-commit
- repo: local
hooks:
- id: env-file-check
name: Check for .env files
entry: bash -c 'if find . -name ".env*" -not -path "./node_modules/*" -not -name ".env.example" | grep -q .; then echo "Found .env files that may contain secrets"; exit 1; fi'
language: system
pass_filenames: false
- id: credential-scan
name: Scan for hardcoded credentials
entry: bash -c 'if grep -r "sk-\|ghp_\|AKIA\|xox[boas]\|AIza[0-9A-Za-z\\-_]\{35\}" --exclude-dir=node_modules --exclude-dir=.git .; then echo "Found potential hardcoded credentials"; exit 1; fi'
language: system
pass_filenames: false
Reference in New Issue View Git Blame Copy Permalink