d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: tighten gitleaks regex + document history-purge audit trail #14

Merged
nsatoshi merged 1 commits from devin/1776542851-harden-gitleaks-and-document-purge into master 2026-04-18 20:08:59 +00:00
Conversation 0 Commits 1 Files Changed 2 +54 -2
nsatoshi commented 2026-04-18 20:08:43 +00:00
Owner
Copy Link

Summary

Two small follow-ups to the out-of-band git-history rewrite that purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and tag in this repository today.

Changes

.gitleaks.toml

Regex was L@kers?\$?2010, which catches the expanded form but NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3 in scripts/setup-database.sh. PR #13 fixed the live leak but didn't tighten the detector. New regex L@kers?\\?\$?2010 catches both forms so future pastes of either form fail CI.

Description rewritten without literal passwords (the previous description was redacted by the history rewrite itself and read Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***), which was cryptic).

docs/SECURITY.md

  • New History-purge audit trail section recording what was done, how it was verified (0 literal password matches in any blob or commit message; 0 legacy-password findings from a post-rewrite gitleaks scan), and what operator cleanup is still required on the Gitea host.
  • Residual server-side state subsection documents that the 13 refs/pull/*/head refs (read-only PR head mirrors) cannot be force-updated over HTTPS — the server's update hook declines them. Gives the explicit git update-ref -d + git gc --prune=now recipe for the gitea user on the VM.
  • Re-introduction guard subsection points at the tightened regex and commit 78e1ff5.

History-purge summary (out-of-band)

Ran git clone --mirror → git filter-repo --replace-text → git filter-repo --replace-message → git push --mirror --force. Result:

Scope Before After
master tree matches scripts/setup-database.sh (escaped form) 0
Any blob across all 18 branches matching L@kers?\$?2010 many 0
Commit messages mentioning L@ker$2010 / L@kers2010 / L@ker\$2010 many 0
gitleaks legacy-password rule findings (post-rewrite) N/A 0
refs/pull/*/head (13 refs) still pin pre-rewrite commits unchanged — Gitea server-side cleanup required

All 18 feature branches force-updated in the same push.

Verification

git log --all -p | grep -cE 'L@ker\$2010|L@kers2010|L@ker\\\$2010'
# 0

gitleaks detect --no-git --source . --config .gitleaks.toml
# 0 legacy-password findings (41 other pre-existing findings unrelated to this rotation)

Operator action required after this merges

To complete the purge, an admin on the Gitea VM needs to drop the 13 refs/pull/*/head refs. Recipe is in the new docs/SECURITY.md section. Until that runs, the old commits are still reachable by SHA through the Gitea web UI (/pulls/<n>/files tab), though not through the normal clone or any branch.

Deferred (user's call)

  • Live credential rotation in infrastructure (Postgres, SSH on Besu VMs, JWT secret, xAI / OpenSea vendor keys). Checklist in docs/SECURITY.md section 1–4 is unchanged from PR #3. User flagged this would be done on ops side with fresh credentials provided to a future Devin session.
## Summary Two small follow-ups to the out-of-band git-history rewrite that purged `L@ker$2010` / `L@kers2010` / `L@ker\$2010` from every branch and tag in this repository today. ## Changes ### `.gitleaks.toml` Regex was `L@kers?\$?2010`, which catches the **expanded** form but **NOT** the **shell-escaped** form (`L@ker\$2010`) that slipped past [PR #3](https://gitea.d-bis.org/d-bis/explorer-monorepo/pulls/3) in `scripts/setup-database.sh`. [PR #13](https://gitea.d-bis.org/d-bis/explorer-monorepo/pulls/13) fixed the live leak but didn't tighten the detector. New regex `L@kers?\\?\$?2010` catches both forms so future pastes of either form fail CI. Description rewritten without literal passwords (the previous description was redacted by the history rewrite itself and read `Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)`, which was cryptic). ### `docs/SECURITY.md` - New **History-purge audit trail** section recording what was done, how it was verified (0 literal password matches in any blob or commit message; 0 legacy-password findings from a post-rewrite gitleaks scan), and what operator cleanup is still required on the Gitea host. - **Residual server-side state** subsection documents that the 13 `refs/pull/*/head` refs (read-only PR head mirrors) **cannot be force-updated over HTTPS** — the server's `update` hook declines them. Gives the explicit `git update-ref -d` + `git gc --prune=now` recipe for the gitea user on the VM. - **Re-introduction guard** subsection points at the tightened regex and commit `78e1ff5`. ## History-purge summary (out-of-band) Ran `git clone --mirror → git filter-repo --replace-text → git filter-repo --replace-message → git push --mirror --force`. Result: | Scope | Before | After | |---|---|---| | `master` tree matches | `scripts/setup-database.sh` (escaped form) | 0 | | Any blob across all 18 branches matching `L@kers?\$?2010` | many | 0 | | Commit messages mentioning `L@ker$2010` / `L@kers2010` / `L@ker\$2010` | many | 0 | | gitleaks legacy-password rule findings (post-rewrite) | N/A | **0** | | `refs/pull/*/head` (13 refs) | still pin pre-rewrite commits | **unchanged — Gitea server-side cleanup required** | All 18 feature branches force-updated in the same push. ## Verification ``` git log --all -p | grep -cE 'L@ker\$2010|L@kers2010|L@ker\\\$2010' # 0 gitleaks detect --no-git --source . --config .gitleaks.toml # 0 legacy-password findings (41 other pre-existing findings unrelated to this rotation) ``` ## Operator action required after this merges To complete the purge, an admin on the Gitea VM needs to drop the 13 `refs/pull/*/head` refs. Recipe is in the new `docs/SECURITY.md` section. Until that runs, the old commits are still reachable by SHA through the Gitea web UI (`/pulls/<n>/files` tab), though not through the normal clone or any branch. ## Deferred (user's call) - **Live credential rotation** in infrastructure (Postgres, SSH on Besu VMs, JWT secret, xAI / OpenSea vendor keys). Checklist in `docs/SECURITY.md` section 1–4 is unchanged from PR #3. User flagged this would be done on ops side with fresh credentials provided to a future Devin session.
nsatoshi added 1 commit 2026-04-18 20:08:44 +00:00
security: tighten gitleaks regex for escaped form, document history-purge audit trail
Some checks failed
CI / Backend (go 1.23.x) (pull_request) Successful in 56s
Details
CI / Backend security scanners (pull_request) Failing after 40s
Details
CI / Frontend (node 20) (pull_request) Successful in 2m19s
Details
CI / gitleaks (secret scan) (pull_request) Failing after 7s
Details
e2e-full / e2e-full (pull_request) Has been skipped
Details
fdb14dc420 
Two small follow-ups to the out-of-band git-history rewrite that
purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and
tag:

.gitleaks.toml:
  - Regex was L@kers?\$?2010 which catches the expanded form but
    NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3
    in scripts/setup-database.sh. PR #13 fixed the live leak but did
    not tighten the detector. New regex L@kers?\\?\$?2010 catches
    both forms so future pastes of either form fail CI.
  - Description rewritten without the literal password (the previous
    description was redacted by the history rewrite itself and read
    'Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)'
    which was cryptic).

docs/SECURITY.md:
  - New 'History-purge audit trail' section recording what was done,
    how it was verified (0 literal password matches in any blob or
    commit message; 0 legacy-password findings from a post-rewrite
    gitleaks scan), and what operator cleanup is still required on
    the Gitea host to drop the 13 refs/pull/*/head refs that still
    pin the pre-rewrite commits (the update hook declined those refs
    over HTTPS, so only an admin on the Gitea VM can purge them via
    'git update-ref -d' + 'git gc --prune=now' in the bare repo).
  - New 'Re-introduction guard' subsection pointing at the tightened
    regex and commit 78e1ff5.

Verification:
  gitleaks detect --no-git --source . --config .gitleaks.toml   # 0 legacy hits
  git log --all -p | grep -cE 'L@ker\$2010|L@kers2010'         # 0
nsatoshi merged commit fe9edd842b into master 2026-04-18 20:08:59 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
70rn4710n A.r.yavari SEG nsatoshi
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: d-bis/explorer-monorepo#14
Delete Branch "devin/1776542851-harden-gitleaks-and-document-purge"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?