@eeacms/volto-bise-policy 1.3.2 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/betterleaks.yml +133 -0
- package/.gitleaks.toml +89 -0
- package/CHANGELOG.md +10 -13
- package/README.md +59 -0
- package/RELEASE.md +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
name: Betterleaks
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
pull_request:
|
|
6
|
+
|
|
7
|
+
permissions:
|
|
8
|
+
contents: read
|
|
9
|
+
|
|
10
|
+
jobs:
|
|
11
|
+
scan:
|
|
12
|
+
name: Scan for secrets
|
|
13
|
+
runs-on: ubuntu-latest
|
|
14
|
+
env:
|
|
15
|
+
SMTP_URL: ${{ secrets.SMTP_URL }}
|
|
16
|
+
SMTP_PORT: ${{ secrets.SMTP_PORT || '25' }}
|
|
17
|
+
SMTP_EMAIL: ${{ secrets.SMTP_EMAIL }}
|
|
18
|
+
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
|
|
19
|
+
steps:
|
|
20
|
+
- name: Checkout repository
|
|
21
|
+
uses: actions/checkout@v4
|
|
22
|
+
with:
|
|
23
|
+
fetch-depth: 1
|
|
24
|
+
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
25
|
+
|
|
26
|
+
- name: Run Betterleaks
|
|
27
|
+
id: betterleaks
|
|
28
|
+
continue-on-error: true
|
|
29
|
+
uses: dortort/betterleaks-action@v0.1.0
|
|
30
|
+
with:
|
|
31
|
+
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
32
|
+
scan-mode: dir
|
|
33
|
+
scan-path: .
|
|
34
|
+
config: .gitleaks.toml
|
|
35
|
+
report-format: json
|
|
36
|
+
report-path: betterleaks-report.json
|
|
37
|
+
redact: "true"
|
|
38
|
+
no-color: "true"
|
|
39
|
+
no-banner: "true"
|
|
40
|
+
fail-on-leak: "true"
|
|
41
|
+
|
|
42
|
+
- name: Upload Betterleaks report
|
|
43
|
+
if: always()
|
|
44
|
+
uses: actions/upload-artifact@v4
|
|
45
|
+
with:
|
|
46
|
+
name: betterleaks-report
|
|
47
|
+
path: betterleaks-report.json
|
|
48
|
+
if-no-files-found: ignore
|
|
49
|
+
|
|
50
|
+
- name: Build Betterleaks email summary
|
|
51
|
+
id: leak_summary
|
|
52
|
+
if: steps.betterleaks.outcome == 'failure'
|
|
53
|
+
shell: bash
|
|
54
|
+
run: |
|
|
55
|
+
if [[ -s betterleaks-report.json ]]; then
|
|
56
|
+
jq -r '
|
|
57
|
+
def one_line:
|
|
58
|
+
tostring
|
|
59
|
+
| gsub("[\r\n]+"; " ")
|
|
60
|
+
| if length > 240 then .[0:240] + "..." else . end;
|
|
61
|
+
|
|
62
|
+
.[:20][]
|
|
63
|
+
| "- " + (.RuleID // "unknown-rule")
|
|
64
|
+
+ " at " + (.File // "unknown-file")
|
|
65
|
+
+ ":" + ((.StartLine // 0) | tostring)
|
|
66
|
+
+ "\n match: " + ((.Match // .Secret // "REDACTED") | one_line)
|
|
67
|
+
' betterleaks-report.json > betterleaks-email-summary.txt
|
|
68
|
+
|
|
69
|
+
count="$(jq 'length' betterleaks-report.json)"
|
|
70
|
+
if (( count > 20 )); then
|
|
71
|
+
{
|
|
72
|
+
echo ""
|
|
73
|
+
echo "... and $((count - 20)) more finding(s). Download the artifact for full details."
|
|
74
|
+
} >> betterleaks-email-summary.txt
|
|
75
|
+
fi
|
|
76
|
+
else
|
|
77
|
+
echo "No JSON report was generated. Download the workflow logs for details." > betterleaks-email-summary.txt
|
|
78
|
+
fi
|
|
79
|
+
|
|
80
|
+
{
|
|
81
|
+
echo "text<<BETTERLEAKS_SUMMARY"
|
|
82
|
+
cat betterleaks-email-summary.txt
|
|
83
|
+
echo "BETTERLEAKS_SUMMARY"
|
|
84
|
+
} >> "$GITHUB_OUTPUT"
|
|
85
|
+
|
|
86
|
+
- name: Resolve committer email
|
|
87
|
+
id: committer
|
|
88
|
+
if: steps.betterleaks.outcome == 'failure'
|
|
89
|
+
shell: bash
|
|
90
|
+
run: |
|
|
91
|
+
committer_email="$(git log -1 --format='%ce')"
|
|
92
|
+
author_email="$(git log -1 --format='%ae')"
|
|
93
|
+
email="$committer_email"
|
|
94
|
+
if [[ -z "$email" || "$email" == *"noreply.github.com"* ]]; then
|
|
95
|
+
email="$author_email"
|
|
96
|
+
fi
|
|
97
|
+
if [[ "$email" =~ ^[^[:space:]@]+@[^[:space:]@]+\.[^[:space:]@]+$ && "$email" != *"noreply.github.com"* ]]; then
|
|
98
|
+
echo "email=$email" >> "$GITHUB_OUTPUT"
|
|
99
|
+
else
|
|
100
|
+
echo "No deliverable committer email found; skipping Betterleaks email notification."
|
|
101
|
+
echo "email=" >> "$GITHUB_OUTPUT"
|
|
102
|
+
fi
|
|
103
|
+
|
|
104
|
+
- name: Email committer on Betterleaks failure
|
|
105
|
+
if: steps.betterleaks.outcome == 'failure' && steps.committer.outputs.email != '' && env.SMTP_URL != '' && env.SMTP_EMAIL != ''
|
|
106
|
+
uses: dawidd6/action-send-mail@v18
|
|
107
|
+
with:
|
|
108
|
+
server_address: ${{ env.SMTP_URL }}
|
|
109
|
+
server_port: ${{ env.SMTP_PORT }}
|
|
110
|
+
secure: ${{ env.SMTP_PORT == '465' }}
|
|
111
|
+
username: ${{ env.SMTP_EMAIL }}
|
|
112
|
+
password: ${{ env.SMTP_PASSWORD }}
|
|
113
|
+
from: ${{ env.SMTP_EMAIL }}
|
|
114
|
+
to: ${{ steps.committer.outputs.email }}
|
|
115
|
+
subject: "[Betterleaks] Secret scan failed in ${{ github.repository }}"
|
|
116
|
+
body: |
|
|
117
|
+
Betterleaks detected one or more potential secrets.
|
|
118
|
+
|
|
119
|
+
Repository: ${{ github.repository }}
|
|
120
|
+
Branch: ${{ github.ref_name }}
|
|
121
|
+
Commit: ${{ github.sha }}
|
|
122
|
+
Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
|
123
|
+
|
|
124
|
+
Findings:
|
|
125
|
+
${{ steps.leak_summary.outputs.text }}
|
|
126
|
+
|
|
127
|
+
Download the betterleaks-report artifact from the workflow run for details.
|
|
128
|
+
|
|
129
|
+
- name: Fail if Betterleaks found leaks
|
|
130
|
+
if: steps.betterleaks.outcome == 'failure'
|
|
131
|
+
run: |
|
|
132
|
+
echo "Betterleaks detected one or more secrets. Download the betterleaks-report artifact from this workflow run for details."
|
|
133
|
+
exit 1
|
package/.gitleaks.toml
ADDED
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
title = "Betterleaks config"
|
|
2
|
+
|
|
3
|
+
[extend]
|
|
4
|
+
useDefault = true
|
|
5
|
+
|
|
6
|
+
[[rules]]
|
|
7
|
+
id = "secret-literal-assignment"
|
|
8
|
+
description = "Secret-like literal assignment in source, YAML, env and config files"
|
|
9
|
+
regex = '''(?i)([A-Za-z0-9_.-]*(?:password|passwd|pwd|api[_-]?key|apikey|access[_-]?key|secret[_-]?access[_-]?key|private[_-]?key|client[_-]?secret|consumer[_-]?key|consumer[_-]?secret|(?:auth|access|refresh|session|api|bearer|id|jwt|csrf|xsrf|oauth)[_-]?token|translate[_-]?auth|translation[_-]?auth|auth[_-]?password|auth[_-]?key|auth[_-]?credentials|database[_-]?url|connection[_-]?string)[A-Za-z0-9_.-]*)[ \t]*[:=][ \t]*["'']?([^"''[:space:]#{}$.][^"''\n#{}]{2,})["'']?'''
|
|
10
|
+
secretGroup = 2
|
|
11
|
+
keywords = [
|
|
12
|
+
"password",
|
|
13
|
+
"passwd",
|
|
14
|
+
"pwd",
|
|
15
|
+
"api_key",
|
|
16
|
+
"apikey",
|
|
17
|
+
"access_key",
|
|
18
|
+
"private_key",
|
|
19
|
+
"client_secret",
|
|
20
|
+
"consumer_key",
|
|
21
|
+
"consumer_secret",
|
|
22
|
+
"auth_token",
|
|
23
|
+
"access_token",
|
|
24
|
+
"refresh_token",
|
|
25
|
+
"session_token",
|
|
26
|
+
"api_token",
|
|
27
|
+
"bearer_token",
|
|
28
|
+
"id_token",
|
|
29
|
+
"jwt_token",
|
|
30
|
+
"csrf_token",
|
|
31
|
+
"xsrf_token",
|
|
32
|
+
"oauth_token",
|
|
33
|
+
"translate_auth",
|
|
34
|
+
"translation_auth",
|
|
35
|
+
"auth_password",
|
|
36
|
+
"auth_key",
|
|
37
|
+
"auth_credentials",
|
|
38
|
+
"database_url",
|
|
39
|
+
"connection_string"
|
|
40
|
+
]
|
|
41
|
+
tags = ["literal-secret"]
|
|
42
|
+
|
|
43
|
+
[[rules]]
|
|
44
|
+
id = "env-short-secret-assignment"
|
|
45
|
+
description = "Uppercase env-style PASS/TOKEN/SECRET assignment"
|
|
46
|
+
regex = '''\b((?:PASS|TOKEN|SECRET|[A-Z0-9_]*(?:_PASS|_TOKEN|_SECRET|PASS_|TOKEN_|SECRET_)[A-Z0-9_]*))[ \t]*[:=][ \t]*["'']?([^"''[:space:]#{}$.][^"''\n#{}]{2,})["'']?'''
|
|
47
|
+
secretGroup = 2
|
|
48
|
+
keywords = [
|
|
49
|
+
"PASS",
|
|
50
|
+
"TOKEN",
|
|
51
|
+
"SECRET"
|
|
52
|
+
]
|
|
53
|
+
tags = ["env", "literal-secret"]
|
|
54
|
+
|
|
55
|
+
[[rules]]
|
|
56
|
+
id = "standalone-sk-token"
|
|
57
|
+
description = "Standalone sk-* token not attached to a secret-like variable name"
|
|
58
|
+
regex = '''(?i)\b(sk-[A-Za-z0-9][A-Za-z0-9_-]{20,})\b'''
|
|
59
|
+
secretGroup = 1
|
|
60
|
+
entropy = 2.5
|
|
61
|
+
keywords = ["sk-"]
|
|
62
|
+
tags = ["standalone-token", "generic"]
|
|
63
|
+
|
|
64
|
+
[[rules]]
|
|
65
|
+
id = "dotenv-only-jest-setup"
|
|
66
|
+
description = ".env may only contain the committed Jest setup lines"
|
|
67
|
+
path = '''(?i)(^|/)\.env$'''
|
|
68
|
+
regex = '''(?m)^(.+)$'''
|
|
69
|
+
secretGroup = 1
|
|
70
|
+
tags = ["file", "dotenv"]
|
|
71
|
+
[[rules.allowlists]]
|
|
72
|
+
regexTarget = "match"
|
|
73
|
+
regexes = [
|
|
74
|
+
'''^JEST_USE_SETUP=OFF # Jest configuration variables: ON, OFF\r?$''',
|
|
75
|
+
]
|
|
76
|
+
|
|
77
|
+
[[rules]]
|
|
78
|
+
id = "forbidden-secret-file"
|
|
79
|
+
description = "Forbidden secret-bearing file committed to repository"
|
|
80
|
+
path = '''(?i)(^|/)(\.env\..*|\.npmrc|\.pypirc|id_rsa|id_ed25519|.*\.(pem|key|p12|pfx|jks|kubeconfig))$'''
|
|
81
|
+
regex = '''(?s).{1,}'''
|
|
82
|
+
tags = ["file", "secret-file"]
|
|
83
|
+
|
|
84
|
+
[[allowlists]]
|
|
85
|
+
description = "Allow Jenkins SonarQube token environment variable reference"
|
|
86
|
+
regexTarget = "match"
|
|
87
|
+
regexes = [
|
|
88
|
+
'''SONAR_AUTH_TOKEN''',
|
|
89
|
+
]
|
package/CHANGELOG.md
CHANGED
|
@@ -4,11 +4,19 @@ All notable changes to this project will be documented in this file. Dates are d
|
|
|
4
4
|
|
|
5
5
|
Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
|
|
6
6
|
|
|
7
|
-
### [1.3.
|
|
7
|
+
### [1.3.3](https://github.com/eea/volto-bise-policy/compare/1.3.2...1.3.3) - 6 July 2026
|
|
8
|
+
|
|
9
|
+
#### :house: Internal changes
|
|
10
|
+
|
|
8
11
|
|
|
9
12
|
#### :hammer_and_wrench: Others
|
|
10
13
|
|
|
11
|
-
-
|
|
14
|
+
- test: pin Chromium version 149 to work with Cypress [valentinab25 - [`5841387`](https://github.com/eea/volto-bise-policy/commit/5841387ae59380ee15af8c82a4df81c4767e1b7c)]
|
|
15
|
+
- Update Betterleaks email notification [Dobricean Ioan Dorian - [`45fae4c`](https://github.com/eea/volto-bise-policy/commit/45fae4cea316af3d3b846d4d7754e63bd7baeaac)]
|
|
16
|
+
- Update Betterleaks config documentation [Dobricean Ioan Dorian - [`e6742c2`](https://github.com/eea/volto-bise-policy/commit/e6742c23bffe88fef239354723dc8ae9aba94469)]
|
|
17
|
+
- Fix betterleaks findings [Dobricean Ioan Dorian - [`b9ef9ba`](https://github.com/eea/volto-bise-policy/commit/b9ef9baf5f6b1036e8d83f90a582298c3688a7ba)]
|
|
18
|
+
### [1.3.2](https://github.com/eea/volto-bise-policy/compare/1.3.1...1.3.2) - 24 June 2026
|
|
19
|
+
|
|
12
20
|
### [1.3.1](https://github.com/eea/volto-bise-policy/compare/1.3.0...1.3.1) - 23 June 2026
|
|
13
21
|
|
|
14
22
|
### [1.3.0](https://github.com/eea/volto-bise-policy/compare/1.3.0-beta.2...1.3.0) - 22 June 2026
|
|
@@ -103,8 +111,6 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
|
|
|
103
111
|
|
|
104
112
|
#### :house: Internal changes
|
|
105
113
|
|
|
106
|
-
- chore: [JENKINSFILE] add package version in sonarqube [valentinab25 - [`4c2d75b`](https://github.com/eea/volto-bise-policy/commit/4c2d75bbf6dca47929c6613749169b40ed483985)]
|
|
107
|
-
- chore: [JENKINSFILE] use sonarqube branches [EEA Jenkins - [`f99c622`](https://github.com/eea/volto-bise-policy/commit/f99c622726cfd711704f50218a2f1fe833974ec3)]
|
|
108
114
|
|
|
109
115
|
#### :hammer_and_wrench: Others
|
|
110
116
|
|
|
@@ -367,7 +373,6 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
|
|
|
367
373
|
- chore: customize root theme to use volto-spotlight - refs #259794 [ana-oprea - [`347f96e`](https://github.com/eea/volto-bise-policy/commit/347f96e335139f9656abd34c308c531b05de85e7)]
|
|
368
374
|
- chore: change the theme and alias to volto-spotlight and add volto-spotlight to package.json - refs #259794 [ana-oprea - [`52732a1`](https://github.com/eea/volto-bise-policy/commit/52732a17b3247a04ffae0a3f5118e173afa98157)]
|
|
369
375
|
- chore: change theme to eea-volto-theme, change config.alias - refs #259794 [ana-oprea - [`c2d08ea`](https://github.com/eea/volto-bise-policy/commit/c2d08ea08a7f0e5f6f7d32149e60ea3f3e901923)]
|
|
370
|
-
- chore: [JENKINS] Refactor automated testing [valentinab25 - [`a3c9488`](https://github.com/eea/volto-bise-policy/commit/a3c9488c5d09ba97fe5976675524d436080a2460)]
|
|
371
376
|
- chore: husky, lint-staged use fixed versions [valentinab25 - [`fddc30f`](https://github.com/eea/volto-bise-policy/commit/fddc30f11a1d8ec290edaca2d924282f5e113bc6)]
|
|
372
377
|
- chore:volto 16 in tests, update docs, fix stylelint overrides [valentinab25 - [`005ce74`](https://github.com/eea/volto-bise-policy/commit/005ce742dbd014fde27e417059251233365766dd)]
|
|
373
378
|
|
|
@@ -380,17 +385,9 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
|
|
|
380
385
|
- test: Update jest,Jenkinsfile,lint to volto-addons-template PR30 [valentinab25 - [`c1277ba`](https://github.com/eea/volto-bise-policy/commit/c1277bacf840ee9feccbfd6a2c85f0b25a9a9125)]
|
|
381
386
|
- test: Update jest,Jenkinsfile,lint to volto-addons-template PR30 [valentinab25 - [`c944153`](https://github.com/eea/volto-bise-policy/commit/c944153710fd53c5d48863cf363464273e25f52e)]
|
|
382
387
|
- test: Update jest,Jenkinsfile,lint to volto-addons-template PR30 [valentinab25 - [`d648d52`](https://github.com/eea/volto-bise-policy/commit/d648d525a2fc5076577fe0f75ff9782bf0d1d4e9)]
|
|
383
|
-
- test: [JENKINS] fix jest config, fail with logs on coverage [valentinab25 - [`2a7affe`](https://github.com/eea/volto-bise-policy/commit/2a7affe33d737704bdba117c4a5c8c6748ef7a47)]
|
|
384
|
-
- test: [JENKINS] fix jest config, fail with logs on coverage [valentinab25 - [`5929642`](https://github.com/eea/volto-bise-policy/commit/59296420105d0e8c1f1547aa0cd17a019e478c2b)]
|
|
385
|
-
- test: [JENKINS] fix jest config, fail with logs on coverage [valentinab25 - [`b1142f1`](https://github.com/eea/volto-bise-policy/commit/b1142f1da3667a9f56720f65bebce897a5dd8005)]
|
|
386
388
|
- test: cypress should not wait for navigation, actions, types - refs #259794 [ana-oprea - [`188637c`](https://github.com/eea/volto-bise-policy/commit/188637c78a0cae71b5ee48022507d559dfaceb3e)]
|
|
387
|
-
- test: [JENKINS] Use java17 for sonarqube scanner [valentinab25 - [`fa4e473`](https://github.com/eea/volto-bise-policy/commit/fa4e473018386ec3f09d7300d655c8cccdc19a0e)]
|
|
388
|
-
- test: [JENKINS] Run cypress in started frontend container [valentinab25 - [`1d9135b`](https://github.com/eea/volto-bise-policy/commit/1d9135bb878b3c7a1b828085b99b9d27d78ce60e)]
|
|
389
389
|
- remove cypress tests as it doesn t work on bise [Dobricean Ioan Dorian - [`ba7e2de`](https://github.com/eea/volto-bise-policy/commit/ba7e2defea2dcfd01537c3abb41fa9515ff0a3e3)]
|
|
390
390
|
- add mega menu layout settings as #259794 said [dobri1408 - [`b9a3683`](https://github.com/eea/volto-bise-policy/commit/b9a3683e7d85f8c88ad8feac975c47c434f62c4a)]
|
|
391
|
-
- test: [JENKINS] Add cpu limit on cypress docker [valentinab25 - [`9181908`](https://github.com/eea/volto-bise-policy/commit/9181908c7f4b51bdf83a34f8c7f25827de9b1cc6)]
|
|
392
|
-
- test: [JENKINS] Increase shm-size to cypress docker [valentinab25 - [`099d796`](https://github.com/eea/volto-bise-policy/commit/099d79669471e6924bf1e0bc51a79d54379c3a1a)]
|
|
393
|
-
- test: [JENKINS] Improve cypress time [valentinab25 - [`6d5d8e2`](https://github.com/eea/volto-bise-policy/commit/6d5d8e29b04ddb92628245570055067ca3dcbb6c)]
|
|
394
391
|
- test: fix comment [valentinab25 - [`4f27d5a`](https://github.com/eea/volto-bise-policy/commit/4f27d5af2e8895c7af4f1157521ca42682b96e23)]
|
|
395
392
|
- test: EN locales, pre-commit fix, feature PRs checks Refs #257193 [valentinab25 - [`4c2fcb0`](https://github.com/eea/volto-bise-policy/commit/4c2fcb01065e1ef962317ba7be788fd1df079618)]
|
|
396
393
|
- test: Update Makefile and docker-compose to align it with Jenkinsfile [valentinab25 - [`89afaa1`](https://github.com/eea/volto-bise-policy/commit/89afaa15892930452027ef8c8593fc6d193cda70)]
|
package/README.md
CHANGED
|
@@ -80,6 +80,65 @@ See [RELEASE.md](https://github.com/eea/volto-bise-policy/blob/master/RELEASE.md
|
|
|
80
80
|
|
|
81
81
|
See [DEVELOP.md](https://github.com/eea/volto-bise-policy/blob/master/DEVELOP.md).
|
|
82
82
|
|
|
83
|
+
## Secret Scanning
|
|
84
|
+
|
|
85
|
+
This repository uses the Betterleaks GitHub Action to scan the current
|
|
86
|
+
repository content on every push and pull request. The scan uses the rules in
|
|
87
|
+
`.gitleaks.toml` and uploads a `betterleaks-report` artifact when a finding is
|
|
88
|
+
detected.
|
|
89
|
+
|
|
90
|
+
If the optional SMTP secrets are configured, failed scans also send an email to
|
|
91
|
+
the last commit committer. The workflow expects these repository or
|
|
92
|
+
organization secrets:
|
|
93
|
+
|
|
94
|
+
- `SMTP_URL`
|
|
95
|
+
- `SMTP_PORT` (optional, defaults to `25`)
|
|
96
|
+
- `SMTP_EMAIL`
|
|
97
|
+
- `SMTP_PASSWORD` (optional if the SMTP server does not require authentication)
|
|
98
|
+
|
|
99
|
+
Port `465` is sent with direct TLS; other ports use the default SMTP handshake.
|
|
100
|
+
The email includes a short finding summary from the redacted Betterleaks report,
|
|
101
|
+
including the redacted matched line from each finding.
|
|
102
|
+
|
|
103
|
+
There are three common outcomes:
|
|
104
|
+
|
|
105
|
+
1. **Everything is OK.** The `Betterleaks / Scan for secrets` check is green and
|
|
106
|
+
no action is needed. Regular references to runtime values are OK, for example:
|
|
107
|
+
|
|
108
|
+
```js
|
|
109
|
+
const tokenFromCookie = req.universalCookies.get('auth_token');
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
2. **A real secret was found.** The check is red and the workflow log asks you to
|
|
113
|
+
download the `betterleaks-report` artifact. Open the artifact from the GitHub
|
|
114
|
+
Actions run and check the reported file, line and rule. Remove the committed
|
|
115
|
+
value, move it to the proper secret store, and rotate it if it was exposed.
|
|
116
|
+
A report entry looks like this:
|
|
117
|
+
|
|
118
|
+
```json
|
|
119
|
+
{
|
|
120
|
+
"RuleID": "secret-literal-assignment",
|
|
121
|
+
"File": "src/config.js",
|
|
122
|
+
"StartLine": 12,
|
|
123
|
+
"Secret": "[REDACTED]"
|
|
124
|
+
}
|
|
125
|
+
```
|
|
126
|
+
|
|
127
|
+
3. **The finding is a false positive.** Keep the value only if it is clearly not
|
|
128
|
+
sensitive, such as a test fixture, placeholder, or public example. Add
|
|
129
|
+
`betterleaks:allow` on the same line and include a short explanation in the
|
|
130
|
+
pull request.
|
|
131
|
+
|
|
132
|
+
```js
|
|
133
|
+
const testPassword = 'admin'; //betterleaks:allow
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
```yaml
|
|
137
|
+
password: "admin" #betterleaks:allow
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
Do not add `betterleaks:allow` to real credentials.
|
|
141
|
+
|
|
83
142
|
## Copyright and license
|
|
84
143
|
|
|
85
144
|
The Initial Owner of the Original Code is European Environment Agency (EEA).
|
package/RELEASE.md
CHANGED
|
@@ -33,7 +33,7 @@ Release-it is a tool that automates 4 important steps in the release process:
|
|
|
33
33
|
To configure the authentification, you need to export GITHUB_TOKEN for [GitHub](https://github.com/settings/tokens)
|
|
34
34
|
|
|
35
35
|
```
|
|
36
|
-
export GITHUB_TOKEN=
|
|
36
|
+
export GITHUB_TOKEN="${GITHUB_TOKEN}"
|
|
37
37
|
```
|
|
38
38
|
|
|
39
39
|
To configure npm, you can use the `npm login` command or use a configuration file with a TOKEN :
|