OpenCollab-Insight/check-secrets.py at main · hud0567/OpenCollab-Insight · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/env python3
"""
安全检查脚本 - 扫描项目中的潜在敏感信息
"""
import os
import re
import sys

# 敏感信息模式
PATTERNS = {
    'API Keys': [
        r'sk-[A-Za-z0-9]{20,}',  # OpenAI style keys
        r'AIzaSy[A-Za-z0-9-_]{33}',  # Google API keys
        r'AKIA[0-9A-Z]{16}',  # AWS Access Key
    ],
    'Tokens': [
        r'ghp_[A-Za-z0-9]{36}',  # GitHub Personal Access Token
        r'glpat-[A-Za-z0-9-_]{20,}',  # GitLab Personal Access Token
    ],
    'Passwords': [
        r'password\s*=\s*["\'][^"\']{8,}["\']',
        r'pwd\s*=\s*["\'][^"\']{8,}["\']',
    ],
    'Private Keys': [
        r'-----BEGIN (RSA |)PRIVATE KEY-----',
    ]
}

# 排除的文件类型
EXCLUDE_EXTENSIONS = {'.pyc', '.pyo', '.so', '.dll', '.exe', '.png', '.jpg', '.gif'}

# 排除的目录
EXCLUDE_DIRS = {'__pycache__', '.git', 'node_modules', 'venv', 'env', '.venv'}

def scan_file(filepath):
    """扫描单个文件"""
    findings = []

    try:
        with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
            content = f.read()

            for category, patterns in PATTERNS.items():
                for pattern in patterns:
                    matches = re.finditer(pattern, content, re.IGNORECASE)
                    for match in matches:
                        findings.append({
                            'file': filepath,
                            'category': category,
                            'line': content[:match.start()].count('\n') + 1,
                            'match': match.group()[:50] + '...' if len(match.group()) > 50 else match.group()
                        })
    except Exception as e:
        pass  # 忽略无法读取的文件

    return findings

def scan_directory(root_dir):
    """递归扫描目录"""
    all_findings = []

    for root, dirs, files in os.walk(root_dir):
        # 排除特定目录
        dirs[:] = [d for d in dirs if d not in EXCLUDE_DIRS]

        for file in files:
            # 排除特定文件类型
            if any(file.endswith(ext) for ext in EXCLUDE_EXTENSIONS):
                continue

            filepath = os.path.join(root, file)
            findings = scan_file(filepath)
            all_findings.extend(findings)

    return all_findings

def main():
    print("[*] Starting security scan...")
    print("-" * 60)

    root_dir = os.path.dirname(os.path.abspath(__file__))
    findings = scan_directory(root_dir)

    if findings:
        print(f"[!] Found {len(findings)} potential security issues:\n")

        for finding in findings:
            print(f"File: {finding['file']}")
            print(f"  Type: {finding['category']}")
            print(f"  Line: {finding['line']}")
            print(f"  Content: {finding['match']}")
            print()

        print("=" * 60)
        print("[!] Please remove these secrets before committing!")
        sys.exit(1)
    else:
        print("[OK] No obvious secrets found")
        print("=" * 60)
        print("[*] Tip: Still manually review .env and config files")
        sys.exit(0)

if __name__ == '__main__':
    main()