-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcheck_repo_hygiene.py
More file actions
99 lines (78 loc) · 2.87 KB
/
Copy pathcheck_repo_hygiene.py
File metadata and controls
99 lines (78 loc) · 2.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/usr/bin/env python3
import re
import subprocess
import sys
from pathlib import Path
ALLOWED_CODEX_PATHS = {
".codex/config.toml",
}
FORBIDDEN_STAGEABLE_PATHS = (
".env",
"data/",
".venv/",
"venv/",
"codex-home/",
)
FORBIDDEN_FILENAMES = {
"auth.json",
"history.jsonl",
}
SECRET_PATTERNS = {
"openai_api_key": re.compile(r"(?<![A-Za-z0-9_])sk-[A-Za-z0-9_-]{20,}"),
"github_token": re.compile(r"\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{20,}"),
"github_fine_grained_token": re.compile(r"\bgithub_pat_[A-Za-z0-9_]{20,}"),
"private_key": re.compile(r"-----BEGIN (?:RSA |OPENSSH |EC |DSA |PGP )?PRIVATE KEY-----"),
"long_bearer_literal": re.compile(r"Bearer\s+[A-Za-z0-9._~+/=-]{32,}"),
}
def is_allowed_codex_path(path: str) -> bool:
if path in ALLOWED_CODEX_PATHS:
return True
rules_prefix = ".codex/rules/"
if path.startswith(rules_prefix):
rule_name = path.removeprefix(rules_prefix)
return "/" not in rule_name and rule_name.endswith(".rules")
return False
def fail(message: str) -> None:
print(f"FAIL: {message}", file=sys.stderr)
raise SystemExit(1)
def git_stageable_files() -> list[str]:
completed = subprocess.run(
["git", "ls-files", "--cached", "--others", "--exclude-standard"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True,
check=False,
)
if completed.returncode != 0:
fail("could not list git-stageable files")
return [line for line in completed.stdout.splitlines() if line]
def check_paths(paths: list[str]) -> None:
for path in paths:
normalized = path.replace("\\", "/")
if normalized in FORBIDDEN_STAGEABLE_PATHS:
fail(f"forbidden path is stageable: {path}")
if any(normalized.startswith(prefix) for prefix in FORBIDDEN_STAGEABLE_PATHS if prefix.endswith("/")):
fail(f"forbidden path is stageable: {path}")
if normalized == ".codex" or (normalized.startswith(".codex/") and not is_allowed_codex_path(normalized)):
fail(f"forbidden Codex state/config path is stageable: {path}")
if Path(normalized).name in FORBIDDEN_FILENAMES:
fail(f"forbidden credential/state filename is stageable: {path}")
def check_secret_patterns(paths: list[str]) -> None:
for path in paths:
file_path = Path(path)
if not file_path.is_file():
continue
try:
content = file_path.read_text(encoding="utf-8")
except UnicodeDecodeError:
continue
for name, pattern in SECRET_PATTERNS.items():
if pattern.search(content):
fail(f"possible secret pattern '{name}' in {path}")
def main() -> None:
paths = git_stageable_files()
check_paths(paths)
check_secret_patterns(paths)
print("repo hygiene checks passed")
if __name__ == "__main__":
main()