Secret Leakage Scan — src/ + last 20 commits

Scan completed: 2025-06-11 14:32 UTC Scope: 847 files across src/, config/, scripts/, tests/ · Last 20 commits (a3f1d09→main) Engine version: SLP-2.4.1

Scan Summary

| Metric | Count | |---|---| | Files scanned | 847 | | Commits scanned | 20 | | Total findings | 7 | | High confidence | 5 | | Medium confidence | 1 | | Low confidence | 1 | | Rotation required | 5 | | Non-findings (placeholders/examples skipped) | 14 |

Findings

Finding 1 · 🔴 HIGH CONFIDENCE

Credential class: AWS Access Key ID + Secret Access Key (correlated pair) Location: config/deploy.env · Lines 12–13 Committed: Yes — first seen in commit a3f1d09 (2025-05-03) Rotation required: ✅ YES

| Field | Value | |---|---| | Access Key ID | AKIA...R7QK | | Secret Access Key | wJal...Yx3K |

Secure replacement:

# config/deploy.env
AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}

Inject via AWS Secrets Manager, GitHub Actions secret, or .env loaded by direnv (never committed).

Finding 2 · 🔴 HIGH CONFIDENCE

Credential class: Stripe Secret Key (sk_live_ prefix) Location: src/payments/stripe_client.py · Line 8 Committed: Yes — present in commits b22c841, d90fa1e, f031cc2 Rotation required: ✅ YES

| Field | Value | |---|---| | Secret Key | sk_l...T9pz |

Secure replacement:

import os
stripe.api_key = os.environ["STRIPE_SECRET_KEY"]

Rotate immediately at dashboard.stripe.com → Developers → API keys. All three commits must be rewritten (see Git History Remediation).

Finding 3 · 🔴 HIGH CONFIDENCE

Credential class: PostgreSQL connection string (credentials embedded in URI) Location: src/db/connection.py · Line 3 Committed: Yes — commit c1188bd Rotation required: ✅ YES

| Field | Value | |---|---| | Connection URI | post...d%40! | | Extracted username | adm... (truncated) | | Extracted password | Tr0u...d%40! |

Secure replacement:

import os
DATABASE_URL = os.environ["DATABASE_URL"]

Rotate database password immediately. If this is a production host, audit connection logs for the period since c1188bd (2025-04-18).

Finding 4 · 🔴 HIGH CONFIDENCE

Credential class: JWT signing secret (symmetric, HS256-compatible length) Location: src/auth/tokens.py · Line 21 Committed: Yes — commit e77b302 Rotation required: ✅ YES — all issued tokens signed with this secret are compromised

| Field | Value | |---|---| | Secret value | mYs3...K!9q |

Secure replacement:

import os
JWT_SECRET = os.environ["JWT_SECRET"]

Rotate secret and invalidate all existing sessions. Consider adding a kid (key ID) claim to support future zero-downtime rotation.

Finding 5 · 🔴 HIGH CONFIDENCE

Credential class: GitHub Personal Access Token (ghp_ prefix) Location: scripts/release.sh · Line 44 Committed: No — file is in .gitignore; detected in working tree only Rotation required: ⚠️ RECOMMENDED — token has repo scope; revoke if unused

| Field | Value | |---|---| | Token | ghp_...xQ8m |

Secure replacement:

GH_TOKEN="${GH_TOKEN}" gh release create ...

Store in GitHub Actions secret GH_TOKEN or a password manager. Never hardcode PATs even in ignored files — .gitignore entries can be overridden accidentally.

Finding 6 · 🟡 MEDIUM CONFIDENCE

Credential class: Generic bearer token (Authorization header value hardcoded in test helper) Location: tests/helpers/api_mock.py · Line 67 Committed: Yes — commit f9a3310 Rotation required: ⚠️ CONDITIONAL — if this token is a real credential copied from a live environment, rotate immediately. If synthetic, document clearly.

| Field | Value | |---|---| | Token value | Bear...k3R= |

Note: Pattern matches a base64-encoded bearer token but does not match any known service's format. Manually verify whether this is a real token or a hand-crafted test fixture. If synthetic, add a comment # test fixture — not a real credential and consider adding to .slp-ignore.

Secure replacement (if real):

TEST_AUTH_TOKEN = os.environ.get("TEST_AUTH_TOKEN", "test-fixture-token-not-real")

Finding 7 · 🟢 LOW CONFIDENCE

Credential class: Unknown — high-entropy string (Shannon entropy ≥ 4.8 bits/char, 40 chars, hex-safe charset) Location: src/integrations/webhooks.py · Line 112 Committed: Yes — commit a1d55f7 Rotation required: ⚠️ CONDITIONAL — verify nature of value before acting

| Field | Value | |---|---| | String value | d4e8...3c91 |

Note: This string does not match any known credential format. It may be a webhook signing secret, a session salt, an internal feature flag key, or a non-secret hash. Do not rotate blindly. Confirm with the committing author (git log --follow -p src/integrations/webhooks.py).

Action Plan

Prioritized remediation steps:

🔴 Immediate (before next deployment)

1. Rotate AWS credentials (Finding 1) — disable AKIA...R7QK in IAM console, generate new key pair, audit CloudTrail for unauthorized usage since 2025-05-03.
2. Rotate Stripe secret key (Finding 2) — new key must be live before old key is revoked; update all environments atomically.
3. Rotate PostgreSQL password (Finding 3) — coordinate with DBA; update DATABASE_URL in all environment secret stores before rotating.
4. Rotate JWT secret + invalidate sessions (Finding 4) — communicate session expiry to users if applicable; deploy new secret before rewriting history.

🟡 Within 24 hours

1. Revoke GitHub PAT (Finding 5) — even though not committed, a hardcoded PAT in any file is a liability.
2. Classify bearer token (Finding 6) — determine real vs. synthetic; rotate or annotate accordingly.

🟢 Within 72 hours

1. Investigate high-entropy string (Finding 7) — confirm whether rotation is needed.

Git History Remediation

Affected findings: 1, 2, 3, 4, 6, 7 (6 findings committed to history) Tool recommendation: git-filter-repo (preferred over BFG for modern repos)

⚠️ Coordination warning: History rewriting changes commit SHAs for every affected commit and all descendants. All collaborators must delete their local clones and re-clone after the force-push. Coordinate with your team before proceeding. Open pull requests will be invalidated.

Step-by-step

# 1. Install git-filter-repo
pip install git-filter-repo

# 2. Back up the repository
cp -r my-repo my-repo-backup

# 3. Create a replacements file (one line per secret, using redacted real values)
# Format: literal==>REPLACEMENT
# Example:
#   wJalxxxxxxxxxxxxxxxx/xxxxxxxEXAMPLEKEY==>REDACTED_AWS_SECRET
# Populate this file with the actual secret values before running.
cat > replacements.txt <<'EOF'
<actual-secret-1>==>REDACTED_REMOVED
<actual-secret-2>==>REDACTED_REMOVED
# ... one entry per confirmed secret
EOF

# 4. Run filter-repo
git filter-repo --replace-text replacements.txt

# 5. Force-push ALL branches and tags
git push origin --force --all
git push origin --force --tags

# 6. Rotate all secrets BEFORE force-push goes live (secrets are exposed
#    until rotation is complete, regardless of history rewrite status)

# 7. Notify all collaborators to re-clone

Alternative: BFG Repo-Cleaner

# Create a file with one secret per line (exact values)
java -jar bfg.jar --replace-text secrets.txt my-repo.git
cd my-repo && git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push origin --force --all

Note: BFG does not rewrite the latest commit on protected branches by default. Verify your branch protection rules allow force-push temporarily, or use git filter-repo for full control.

Skipped (Non-Findings)

The following were evaluated and excluded as placeholder/example values:

| Location | Reason | |---|---| | config/settings.example.env · all keys | .example file — excluded by policy | | docs/quickstart.md · your_stripe_key_here | Placeholder pattern | | tests/fixtures/mock_aws.py · AKIAIOSFODNN7EXAMPLE | AWS documentation example key | | README.md · sk_test_4eC39Hq... | Stripe test-mode prefix + known doc example |

Scan produced by ClearPoint Nexus — Secret Leakage Preventer skill v2.4.1. Re-run after history rewrite to confirm clean state.