2022-11-20 20:03:01 -06:00
#!/bin/bash
# Ignore Ansibilized templates.
2022-12-18 22:24:44 -06:00
saferegex = '\{\{.+\}\}|secrets\['
2022-11-20 20:03:01 -06:00
# Ignore comments
2022-12-18 22:14:25 -06:00
saferegex = " $saferegex " '|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//|\s+[/]?[*][/]?\s+'
2022-11-20 20:03:01 -06:00
# AniNIX Constructs
saferegex = " $saferegex " '|password.aninix.net|aur.list'
# Web constructs
saferegex = " $saferegex " '|.css:|.html:|.md:|htdocs|htpasswd'
# Ignore template text to set policy
saferegex = " $saferegex " '|_LENGTH|Set new|attempt|pwdchange'
# haveibeenpwned is referenced in comments
saferegex = " $saferegex " '|haveibeenpwned'
# Unset variables.
saferegex = " $saferegex " '|\s+=\s*$|\s+yes$|\s+no$'
# Ignore LDAP attributes
saferegex = " $saferegex " '|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
2022-12-18 22:14:25 -06:00
# Ignore IRC Modules
saferegex = " $saferegex " '|m_password_hash.so|/quote ns identify|SELECT|password_attribute|SET PASS|SASET PASS'
2023-07-19 15:41:27 -05:00
# Ignore SSH known hosts
saferegex = " $saferegex ""|ssh_known_hosts:|"
2022-11-20 20:03:01 -06:00
2023-07-19 15:41:27 -05:00
git ls-files roles/*/{ files,templates} | xargs grep -irE 'secret|password|pw|passphrase|pass=' | grep -vE " $saferegex "
2022-11-20 20:03:01 -06:00
if [ $? -ne 1 ] ; then
echo
echo If these are false positives, you need to add the signature to the whitelist in $0 .
echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
exit 1;
fi