@eeacms/volto-bise-policy 1.3.2 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,133 @@
1
+ name: Betterleaks
2
+
3
+ on:
4
+ push:
5
+ pull_request:
6
+
7
+ permissions:
8
+ contents: read
9
+
10
+ jobs:
11
+ scan:
12
+ name: Scan for secrets
13
+ runs-on: ubuntu-latest
14
+ env:
15
+ SMTP_URL: ${{ secrets.SMTP_URL }}
16
+ SMTP_PORT: ${{ secrets.SMTP_PORT || '25' }}
17
+ SMTP_EMAIL: ${{ secrets.SMTP_EMAIL }}
18
+ SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
19
+ steps:
20
+ - name: Checkout repository
21
+ uses: actions/checkout@v4
22
+ with:
23
+ fetch-depth: 1
24
+ ref: ${{ github.event.pull_request.head.sha || github.sha }}
25
+
26
+ - name: Run Betterleaks
27
+ id: betterleaks
28
+ continue-on-error: true
29
+ uses: dortort/betterleaks-action@v0.1.0
30
+ with:
31
+ github-token: ${{ secrets.GITHUB_TOKEN }}
32
+ scan-mode: dir
33
+ scan-path: .
34
+ config: .gitleaks.toml
35
+ report-format: json
36
+ report-path: betterleaks-report.json
37
+ redact: "true"
38
+ no-color: "true"
39
+ no-banner: "true"
40
+ fail-on-leak: "true"
41
+
42
+ - name: Upload Betterleaks report
43
+ if: always()
44
+ uses: actions/upload-artifact@v4
45
+ with:
46
+ name: betterleaks-report
47
+ path: betterleaks-report.json
48
+ if-no-files-found: ignore
49
+
50
+ - name: Build Betterleaks email summary
51
+ id: leak_summary
52
+ if: steps.betterleaks.outcome == 'failure'
53
+ shell: bash
54
+ run: |
55
+ if [[ -s betterleaks-report.json ]]; then
56
+ jq -r '
57
+ def one_line:
58
+ tostring
59
+ | gsub("[\r\n]+"; " ")
60
+ | if length > 240 then .[0:240] + "..." else . end;
61
+
62
+ .[:20][]
63
+ | "- " + (.RuleID // "unknown-rule")
64
+ + " at " + (.File // "unknown-file")
65
+ + ":" + ((.StartLine // 0) | tostring)
66
+ + "\n match: " + ((.Match // .Secret // "REDACTED") | one_line)
67
+ ' betterleaks-report.json > betterleaks-email-summary.txt
68
+
69
+ count="$(jq 'length' betterleaks-report.json)"
70
+ if (( count > 20 )); then
71
+ {
72
+ echo ""
73
+ echo "... and $((count - 20)) more finding(s). Download the artifact for full details."
74
+ } >> betterleaks-email-summary.txt
75
+ fi
76
+ else
77
+ echo "No JSON report was generated. Download the workflow logs for details." > betterleaks-email-summary.txt
78
+ fi
79
+
80
+ {
81
+ echo "text<<BETTERLEAKS_SUMMARY"
82
+ cat betterleaks-email-summary.txt
83
+ echo "BETTERLEAKS_SUMMARY"
84
+ } >> "$GITHUB_OUTPUT"
85
+
86
+ - name: Resolve committer email
87
+ id: committer
88
+ if: steps.betterleaks.outcome == 'failure'
89
+ shell: bash
90
+ run: |
91
+ committer_email="$(git log -1 --format='%ce')"
92
+ author_email="$(git log -1 --format='%ae')"
93
+ email="$committer_email"
94
+ if [[ -z "$email" || "$email" == *"noreply.github.com"* ]]; then
95
+ email="$author_email"
96
+ fi
97
+ if [[ "$email" =~ ^[^[:space:]@]+@[^[:space:]@]+\.[^[:space:]@]+$ && "$email" != *"noreply.github.com"* ]]; then
98
+ echo "email=$email" >> "$GITHUB_OUTPUT"
99
+ else
100
+ echo "No deliverable committer email found; skipping Betterleaks email notification."
101
+ echo "email=" >> "$GITHUB_OUTPUT"
102
+ fi
103
+
104
+ - name: Email committer on Betterleaks failure
105
+ if: steps.betterleaks.outcome == 'failure' && steps.committer.outputs.email != '' && env.SMTP_URL != '' && env.SMTP_EMAIL != ''
106
+ uses: dawidd6/action-send-mail@v18
107
+ with:
108
+ server_address: ${{ env.SMTP_URL }}
109
+ server_port: ${{ env.SMTP_PORT }}
110
+ secure: ${{ env.SMTP_PORT == '465' }}
111
+ username: ${{ env.SMTP_EMAIL }}
112
+ password: ${{ env.SMTP_PASSWORD }}
113
+ from: ${{ env.SMTP_EMAIL }}
114
+ to: ${{ steps.committer.outputs.email }}
115
+ subject: "[Betterleaks] Secret scan failed in ${{ github.repository }}"
116
+ body: |
117
+ Betterleaks detected one or more potential secrets.
118
+
119
+ Repository: ${{ github.repository }}
120
+ Branch: ${{ github.ref_name }}
121
+ Commit: ${{ github.sha }}
122
+ Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
123
+
124
+ Findings:
125
+ ${{ steps.leak_summary.outputs.text }}
126
+
127
+ Download the betterleaks-report artifact from the workflow run for details.
128
+
129
+ - name: Fail if Betterleaks found leaks
130
+ if: steps.betterleaks.outcome == 'failure'
131
+ run: |
132
+ echo "Betterleaks detected one or more secrets. Download the betterleaks-report artifact from this workflow run for details."
133
+ exit 1
package/.gitleaks.toml ADDED
@@ -0,0 +1,89 @@
1
+ title = "Betterleaks config"
2
+
3
+ [extend]
4
+ useDefault = true
5
+
6
+ [[rules]]
7
+ id = "secret-literal-assignment"
8
+ description = "Secret-like literal assignment in source, YAML, env and config files"
9
+ regex = '''(?i)([A-Za-z0-9_.-]*(?:password|passwd|pwd|api[_-]?key|apikey|access[_-]?key|secret[_-]?access[_-]?key|private[_-]?key|client[_-]?secret|consumer[_-]?key|consumer[_-]?secret|(?:auth|access|refresh|session|api|bearer|id|jwt|csrf|xsrf|oauth)[_-]?token|translate[_-]?auth|translation[_-]?auth|auth[_-]?password|auth[_-]?key|auth[_-]?credentials|database[_-]?url|connection[_-]?string)[A-Za-z0-9_.-]*)[ \t]*[:=][ \t]*["'']?([^"''[:space:]#{}$.][^"''\n#{}]{2,})["'']?'''
10
+ secretGroup = 2
11
+ keywords = [
12
+ "password",
13
+ "passwd",
14
+ "pwd",
15
+ "api_key",
16
+ "apikey",
17
+ "access_key",
18
+ "private_key",
19
+ "client_secret",
20
+ "consumer_key",
21
+ "consumer_secret",
22
+ "auth_token",
23
+ "access_token",
24
+ "refresh_token",
25
+ "session_token",
26
+ "api_token",
27
+ "bearer_token",
28
+ "id_token",
29
+ "jwt_token",
30
+ "csrf_token",
31
+ "xsrf_token",
32
+ "oauth_token",
33
+ "translate_auth",
34
+ "translation_auth",
35
+ "auth_password",
36
+ "auth_key",
37
+ "auth_credentials",
38
+ "database_url",
39
+ "connection_string"
40
+ ]
41
+ tags = ["literal-secret"]
42
+
43
+ [[rules]]
44
+ id = "env-short-secret-assignment"
45
+ description = "Uppercase env-style PASS/TOKEN/SECRET assignment"
46
+ regex = '''\b((?:PASS|TOKEN|SECRET|[A-Z0-9_]*(?:_PASS|_TOKEN|_SECRET|PASS_|TOKEN_|SECRET_)[A-Z0-9_]*))[ \t]*[:=][ \t]*["'']?([^"''[:space:]#{}$.][^"''\n#{}]{2,})["'']?'''
47
+ secretGroup = 2
48
+ keywords = [
49
+ "PASS",
50
+ "TOKEN",
51
+ "SECRET"
52
+ ]
53
+ tags = ["env", "literal-secret"]
54
+
55
+ [[rules]]
56
+ id = "standalone-sk-token"
57
+ description = "Standalone sk-* token not attached to a secret-like variable name"
58
+ regex = '''(?i)\b(sk-[A-Za-z0-9][A-Za-z0-9_-]{20,})\b'''
59
+ secretGroup = 1
60
+ entropy = 2.5
61
+ keywords = ["sk-"]
62
+ tags = ["standalone-token", "generic"]
63
+
64
+ [[rules]]
65
+ id = "dotenv-only-jest-setup"
66
+ description = ".env may only contain the committed Jest setup lines"
67
+ path = '''(?i)(^|/)\.env$'''
68
+ regex = '''(?m)^(.+)$'''
69
+ secretGroup = 1
70
+ tags = ["file", "dotenv"]
71
+ [[rules.allowlists]]
72
+ regexTarget = "match"
73
+ regexes = [
74
+ '''^JEST_USE_SETUP=OFF # Jest configuration variables: ON, OFF\r?$''',
75
+ ]
76
+
77
+ [[rules]]
78
+ id = "forbidden-secret-file"
79
+ description = "Forbidden secret-bearing file committed to repository"
80
+ path = '''(?i)(^|/)(\.env\..*|\.npmrc|\.pypirc|id_rsa|id_ed25519|.*\.(pem|key|p12|pfx|jks|kubeconfig))$'''
81
+ regex = '''(?s).{1,}'''
82
+ tags = ["file", "secret-file"]
83
+
84
+ [[allowlists]]
85
+ description = "Allow Jenkins SonarQube token environment variable reference"
86
+ regexTarget = "match"
87
+ regexes = [
88
+ '''SONAR_AUTH_TOKEN''',
89
+ ]
package/CHANGELOG.md CHANGED
@@ -4,11 +4,19 @@ All notable changes to this project will be documented in this file. Dates are d
4
4
 
5
5
  Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
6
6
 
7
- ### [1.3.2](https://github.com/eea/volto-bise-policy/compare/1.3.1...1.3.2) - 24 June 2026
7
+ ### [1.3.3](https://github.com/eea/volto-bise-policy/compare/1.3.2...1.3.3) - 6 July 2026
8
+
9
+ #### :house: Internal changes
10
+
8
11
 
9
12
  #### :hammer_and_wrench: Others
10
13
 
11
- - remove CountryFlag customization from volto-bise-policy [Claudia Ifrim - [`b30ebf9`](https://github.com/eea/volto-bise-policy/commit/b30ebf985814b68aba43ee4f08586106e133d939)]
14
+ - test: pin Chromium version 149 to work with Cypress [valentinab25 - [`5841387`](https://github.com/eea/volto-bise-policy/commit/5841387ae59380ee15af8c82a4df81c4767e1b7c)]
15
+ - Update Betterleaks email notification [Dobricean Ioan Dorian - [`45fae4c`](https://github.com/eea/volto-bise-policy/commit/45fae4cea316af3d3b846d4d7754e63bd7baeaac)]
16
+ - Update Betterleaks config documentation [Dobricean Ioan Dorian - [`e6742c2`](https://github.com/eea/volto-bise-policy/commit/e6742c23bffe88fef239354723dc8ae9aba94469)]
17
+ - Fix betterleaks findings [Dobricean Ioan Dorian - [`b9ef9ba`](https://github.com/eea/volto-bise-policy/commit/b9ef9baf5f6b1036e8d83f90a582298c3688a7ba)]
18
+ ### [1.3.2](https://github.com/eea/volto-bise-policy/compare/1.3.1...1.3.2) - 24 June 2026
19
+
12
20
  ### [1.3.1](https://github.com/eea/volto-bise-policy/compare/1.3.0...1.3.1) - 23 June 2026
13
21
 
14
22
  ### [1.3.0](https://github.com/eea/volto-bise-policy/compare/1.3.0-beta.2...1.3.0) - 22 June 2026
@@ -103,8 +111,6 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
103
111
 
104
112
  #### :house: Internal changes
105
113
 
106
- - chore: [JENKINSFILE] add package version in sonarqube [valentinab25 - [`4c2d75b`](https://github.com/eea/volto-bise-policy/commit/4c2d75bbf6dca47929c6613749169b40ed483985)]
107
- - chore: [JENKINSFILE] use sonarqube branches [EEA Jenkins - [`f99c622`](https://github.com/eea/volto-bise-policy/commit/f99c622726cfd711704f50218a2f1fe833974ec3)]
108
114
 
109
115
  #### :hammer_and_wrench: Others
110
116
 
@@ -367,7 +373,6 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
367
373
  - chore: customize root theme to use volto-spotlight - refs #259794 [ana-oprea - [`347f96e`](https://github.com/eea/volto-bise-policy/commit/347f96e335139f9656abd34c308c531b05de85e7)]
368
374
  - chore: change the theme and alias to volto-spotlight and add volto-spotlight to package.json - refs #259794 [ana-oprea - [`52732a1`](https://github.com/eea/volto-bise-policy/commit/52732a17b3247a04ffae0a3f5118e173afa98157)]
369
375
  - chore: change theme to eea-volto-theme, change config.alias - refs #259794 [ana-oprea - [`c2d08ea`](https://github.com/eea/volto-bise-policy/commit/c2d08ea08a7f0e5f6f7d32149e60ea3f3e901923)]
370
- - chore: [JENKINS] Refactor automated testing [valentinab25 - [`a3c9488`](https://github.com/eea/volto-bise-policy/commit/a3c9488c5d09ba97fe5976675524d436080a2460)]
371
376
  - chore: husky, lint-staged use fixed versions [valentinab25 - [`fddc30f`](https://github.com/eea/volto-bise-policy/commit/fddc30f11a1d8ec290edaca2d924282f5e113bc6)]
372
377
  - chore:volto 16 in tests, update docs, fix stylelint overrides [valentinab25 - [`005ce74`](https://github.com/eea/volto-bise-policy/commit/005ce742dbd014fde27e417059251233365766dd)]
373
378
 
@@ -380,17 +385,9 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
380
385
  - test: Update jest,Jenkinsfile,lint to volto-addons-template PR30 [valentinab25 - [`c1277ba`](https://github.com/eea/volto-bise-policy/commit/c1277bacf840ee9feccbfd6a2c85f0b25a9a9125)]
381
386
  - test: Update jest,Jenkinsfile,lint to volto-addons-template PR30 [valentinab25 - [`c944153`](https://github.com/eea/volto-bise-policy/commit/c944153710fd53c5d48863cf363464273e25f52e)]
382
387
  - test: Update jest,Jenkinsfile,lint to volto-addons-template PR30 [valentinab25 - [`d648d52`](https://github.com/eea/volto-bise-policy/commit/d648d525a2fc5076577fe0f75ff9782bf0d1d4e9)]
383
- - test: [JENKINS] fix jest config, fail with logs on coverage [valentinab25 - [`2a7affe`](https://github.com/eea/volto-bise-policy/commit/2a7affe33d737704bdba117c4a5c8c6748ef7a47)]
384
- - test: [JENKINS] fix jest config, fail with logs on coverage [valentinab25 - [`5929642`](https://github.com/eea/volto-bise-policy/commit/59296420105d0e8c1f1547aa0cd17a019e478c2b)]
385
- - test: [JENKINS] fix jest config, fail with logs on coverage [valentinab25 - [`b1142f1`](https://github.com/eea/volto-bise-policy/commit/b1142f1da3667a9f56720f65bebce897a5dd8005)]
386
388
  - test: cypress should not wait for navigation, actions, types - refs #259794 [ana-oprea - [`188637c`](https://github.com/eea/volto-bise-policy/commit/188637c78a0cae71b5ee48022507d559dfaceb3e)]
387
- - test: [JENKINS] Use java17 for sonarqube scanner [valentinab25 - [`fa4e473`](https://github.com/eea/volto-bise-policy/commit/fa4e473018386ec3f09d7300d655c8cccdc19a0e)]
388
- - test: [JENKINS] Run cypress in started frontend container [valentinab25 - [`1d9135b`](https://github.com/eea/volto-bise-policy/commit/1d9135bb878b3c7a1b828085b99b9d27d78ce60e)]
389
389
  - remove cypress tests as it doesn t work on bise [Dobricean Ioan Dorian - [`ba7e2de`](https://github.com/eea/volto-bise-policy/commit/ba7e2defea2dcfd01537c3abb41fa9515ff0a3e3)]
390
390
  - add mega menu layout settings as #259794 said [dobri1408 - [`b9a3683`](https://github.com/eea/volto-bise-policy/commit/b9a3683e7d85f8c88ad8feac975c47c434f62c4a)]
391
- - test: [JENKINS] Add cpu limit on cypress docker [valentinab25 - [`9181908`](https://github.com/eea/volto-bise-policy/commit/9181908c7f4b51bdf83a34f8c7f25827de9b1cc6)]
392
- - test: [JENKINS] Increase shm-size to cypress docker [valentinab25 - [`099d796`](https://github.com/eea/volto-bise-policy/commit/099d79669471e6924bf1e0bc51a79d54379c3a1a)]
393
- - test: [JENKINS] Improve cypress time [valentinab25 - [`6d5d8e2`](https://github.com/eea/volto-bise-policy/commit/6d5d8e29b04ddb92628245570055067ca3dcbb6c)]
394
391
  - test: fix comment [valentinab25 - [`4f27d5a`](https://github.com/eea/volto-bise-policy/commit/4f27d5af2e8895c7af4f1157521ca42682b96e23)]
395
392
  - test: EN locales, pre-commit fix, feature PRs checks Refs #257193 [valentinab25 - [`4c2fcb0`](https://github.com/eea/volto-bise-policy/commit/4c2fcb01065e1ef962317ba7be788fd1df079618)]
396
393
  - test: Update Makefile and docker-compose to align it with Jenkinsfile [valentinab25 - [`89afaa1`](https://github.com/eea/volto-bise-policy/commit/89afaa15892930452027ef8c8593fc6d193cda70)]
package/README.md CHANGED
@@ -80,6 +80,65 @@ See [RELEASE.md](https://github.com/eea/volto-bise-policy/blob/master/RELEASE.md
80
80
 
81
81
  See [DEVELOP.md](https://github.com/eea/volto-bise-policy/blob/master/DEVELOP.md).
82
82
 
83
+ ## Secret Scanning
84
+
85
+ This repository uses the Betterleaks GitHub Action to scan the current
86
+ repository content on every push and pull request. The scan uses the rules in
87
+ `.gitleaks.toml` and uploads a `betterleaks-report` artifact when a finding is
88
+ detected.
89
+
90
+ If the optional SMTP secrets are configured, failed scans also send an email to
91
+ the last commit committer. The workflow expects these repository or
92
+ organization secrets:
93
+
94
+ - `SMTP_URL`
95
+ - `SMTP_PORT` (optional, defaults to `25`)
96
+ - `SMTP_EMAIL`
97
+ - `SMTP_PASSWORD` (optional if the SMTP server does not require authentication)
98
+
99
+ Port `465` is sent with direct TLS; other ports use the default SMTP handshake.
100
+ The email includes a short finding summary from the redacted Betterleaks report,
101
+ including the redacted matched line from each finding.
102
+
103
+ There are three common outcomes:
104
+
105
+ 1. **Everything is OK.** The `Betterleaks / Scan for secrets` check is green and
106
+ no action is needed. Regular references to runtime values are OK, for example:
107
+
108
+ ```js
109
+ const tokenFromCookie = req.universalCookies.get('auth_token');
110
+ ```
111
+
112
+ 2. **A real secret was found.** The check is red and the workflow log asks you to
113
+ download the `betterleaks-report` artifact. Open the artifact from the GitHub
114
+ Actions run and check the reported file, line and rule. Remove the committed
115
+ value, move it to the proper secret store, and rotate it if it was exposed.
116
+ A report entry looks like this:
117
+
118
+ ```json
119
+ {
120
+ "RuleID": "secret-literal-assignment",
121
+ "File": "src/config.js",
122
+ "StartLine": 12,
123
+ "Secret": "[REDACTED]"
124
+ }
125
+ ```
126
+
127
+ 3. **The finding is a false positive.** Keep the value only if it is clearly not
128
+ sensitive, such as a test fixture, placeholder, or public example. Add
129
+ `betterleaks:allow` on the same line and include a short explanation in the
130
+ pull request.
131
+
132
+ ```js
133
+ const testPassword = 'admin'; //betterleaks:allow
134
+ ```
135
+
136
+ ```yaml
137
+ password: "admin" #betterleaks:allow
138
+ ```
139
+
140
+ Do not add `betterleaks:allow` to real credentials.
141
+
83
142
  ## Copyright and license
84
143
 
85
144
  The Initial Owner of the Original Code is European Environment Agency (EEA).
package/RELEASE.md CHANGED
@@ -33,7 +33,7 @@ Release-it is a tool that automates 4 important steps in the release process:
33
33
  To configure the authentification, you need to export GITHUB_TOKEN for [GitHub](https://github.com/settings/tokens)
34
34
 
35
35
  ```
36
- export GITHUB_TOKEN=XXX-XXXXXXXXXXXXXXXXXXXXXX
36
+ export GITHUB_TOKEN="${GITHUB_TOKEN}"
37
37
  ```
38
38
 
39
39
  To configure npm, you can use the `npm login` command or use a configuration file with a TOKEN :
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@eeacms/volto-bise-policy",
3
- "version": "1.3.2",
3
+ "version": "1.3.3",
4
4
  "description": "@eeacms/volto-bise-policy: Volto add-on",
5
5
  "main": "src/index.js",
6
6
  "author": "European Environment Agency: IDM2 A-Team",