Audit secrets

# .github/workflows/secret-audit.yml name: Security Audit on: pull_request: types: [opened, synchronize] jobs: audit: runs-on: ubuntu-latest permissions: contents: read pull-requests: write issues: write steps: - uses: actions/checkout@v4 with: fetch-depth: 2 # Need parent commit for diff - uses: JetBrains/junie-github-action@v0 id: junie with: junie_api_key: ${{ secrets.JUNIE_API_KEY }} # Enable silent mode to avoid GitHub comments and code changes silent_mode: true prompt: | Scan git diff for accidentally committed secrets. Provide a structured report. **Look for:** - API keys (AWS, GCP, Azure, OpenAI, Stripe) - Private keys (RSA, SSH, PGP headers) - Passwords, auth tokens, JWT - Database connection strings, OAuth secrets **Patterns:** - `password=`, `secret=`, `token=`, `api_key=` - Long base64/hex strings (>20 chars) - `https://user:pass@host` - `-----BEGIN PRIVATE KEY-----` **Ignore false positives:** - Placeholders ("your-api-key-here", "example.com") - Test fixtures with dummy data - Encrypted values, public keys **Report format:** ## 🔐 Secret Scan Results **Status:** SECRETS_FOUND or CLEAN ### Issues Found: [If secrets found, list each one:] - **File:** path/file:line - **Type:** API Key / Private Key / Password / etc. - **Severity:** HIGH / MEDIUM - **Pattern:** [show redacted pattern, e.g., "aws_access_key=AKIA..."] - **Recommendation:** Remove from code, use GitHub Secrets [If no secrets found:] No secrets detected in this commit. Procedure: Use gh pr diff ${{ github.event.pull_request.head.ref }} to get a diff of the PR. Only provide feedback without modifying files. - name: Check results if: steps.junie.outputs.junie_summary != '' run: | echo "${{ steps.junie.outputs.junie_summary }}" # Fail if secrets were found if echo "${{ steps.junie.outputs.junie_summary }}" | grep -q "SECRETS_FOUND"; then echo "::error::Secrets detected in commit! Review the summary above." exit 1 fi