diff --git a/.coderabbit.yml b/.coderabbit.yml new file mode 100644 index 0000000..9aef135 --- /dev/null +++ b/.coderabbit.yml @@ -0,0 +1,4 @@ +reviews: + tools: + gitleaks: + enabled: false diff --git a/trufflehog.yml b/trufflehog.yml new file mode 100644 index 0000000..cf13170 --- /dev/null +++ b/trufflehog.yml @@ -0,0 +1,21 @@ +detectors: + - name: InternalServiceToken + keywords: + - internal_token + - INTERNAL_TOKEN + regex: + key: 'internal_token_[a-f0-9]{32}' + + - name: DemoAppApiKey + keywords: + - demoapp_api_key + - DEMOAPP_API_KEY + regex: + key: 'demoapp_[a-zA-Z0-9]{40}' + + - name: DemoAppDeployToken + keywords: + - deploy_token + - DEPLOY_TOKEN + regex: + key: 'dpt_[a-zA-Z0-9]{32}' diff --git a/trufflehog/config.yaml b/trufflehog/config.yaml new file mode 100644 index 0000000..ccc6a21 --- /dev/null +++ b/trufflehog/config.yaml @@ -0,0 +1,31 @@ +application: + name: demoapp + environment: production + +database: + primary: + url: postgres://demoapp:Sup3rS3cr3tP@ssword@db.internal.example.com:5432/demoapp_prod + pool_size: 20 + cache: + url: mongodb://demoapp:Cache_Pa55word!@cache.internal.example.com:27017/demoapp_cache + read_replica: + url: postgres://reader:R3ad0nly_P@ss@replica.internal.example.com:5432/demoapp_prod + +aws: + region: us-east-1 + access_key_id: AKIAIOSFODNN7EXAMPLE + secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + +monitoring: + datadog_api_key: 1234567890abcdef1234567890abcdef + datadog_app_key: abcdef1234567890abcdef1234567890abcdef12 + +internal: + service_token: internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41 + deploy_token: dpt_a1b2c3d4e5f6789012345678901234ab + api_key: demoapp_kJ8mN2pQ4rS6tU8vW0xY2zA4bC6dE8fG0hI2jK4l + +smtp: + host: smtp.example.com + username: notifications@demoapp.example.com + password: M@ilP@ssword2024 diff --git a/trufflehog/deploy.py b/trufflehog/deploy.py new file mode 100644 index 0000000..42a76c3 --- /dev/null +++ b/trufflehog/deploy.py @@ -0,0 +1,60 @@ +"""Demoapp deploy helper — uploads artifacts and triggers rolling restart.""" + +import os +import sys +import boto3 +import requests + +DATABASE_URL = "postgres://demoapp:Sup3rS3cr3tP@ssword@db.internal.example.com:5432/demoapp_prod" +REDIS_URL = "redis://:CacheP@ss2024@redis.internal.example.com:6379/0" + +AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE" +AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + +INTERNAL_TOKEN = "internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41" +DEPLOY_TOKEN = "dpt_a1b2c3d4e5f6789012345678901234ab" +DEMOAPP_API_KEY = "demoapp_kJ8mN2pQ4rS6tU8vW0xY2zA4bC6dE8fG0hI2jK4l" + +DATADOG_API_KEY = "1234567890abcdef1234567890abcdef" + + +def s3_client(): + return boto3.client( + "s3", + aws_access_key_id=AWS_ACCESS_KEY, + aws_secret_access_key=AWS_SECRET_KEY, + region_name="us-east-1", + ) + + +def upload_artifact(local_path, key): + client = s3_client() + client.upload_file(local_path, "demoapp-artifacts-prod", key) + print(f"uploaded {local_path} -> s3://demoapp-artifacts-prod/{key}") + + +def notify_datadog(event): + requests.post( + "https://api.datadoghq.com/api/v1/events", + headers={"DD-API-KEY": DATADOG_API_KEY}, + json={"title": "deploy", "text": event}, + timeout=5, + ) + + +def trigger_rolling_restart(target): + requests.post( + f"https://control.internal.example.com/v1/services/{target}/restart", + headers={ + "Authorization": f"Bearer {DEPLOY_TOKEN}", + "X-Internal-Token": INTERNAL_TOKEN, + }, + timeout=30, + ) + + +if __name__ == "__main__": + artifact = sys.argv[1] if len(sys.argv) > 1 else "build/demoapp.tar.gz" + upload_artifact(artifact, os.path.basename(artifact)) + notify_datadog(f"deploying {artifact}") + trigger_rolling_restart("demoapp-web") diff --git a/trufflehog/legacy_credentials.txt b/trufflehog/legacy_credentials.txt new file mode 100644 index 0000000..cd51c4d --- /dev/null +++ b/trufflehog/legacy_credentials.txt @@ -0,0 +1,30 @@ +# Legacy credentials inventory — pre-vault era. Kept for emergency rollback. +# Replace these with vault references before the next prod deploy. + +[aws.deploy] +access_key_id = AKIAIOSFODNN7EXAMPLE +secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + +[database.legacy_replica] +host = legacy-replica.internal.example.com +port = 5432 +username = legacy_reader +password = L3gacyR3plicaP@ss + +[internal.tokens] +service_token = internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41 +deploy_token = dpt_a1b2c3d4e5f6789012345678901234ab + +[ssh.deploy_key] +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyqXmSVk3demoappdemoappdemoappdemoappdemoappdemo +appdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemo +appdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemo +appdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemo +appdemoappdemoappdemoappdemoappdemoappdemoappTRUNCATEDFORDEMO +-----END RSA PRIVATE KEY----- + +[notes] +rotated_on = 2024-09-15 +next_rotation = 2024-12-15 +owner = platform-team diff --git a/trufflehog/services.env b/trufflehog/services.env new file mode 100644 index 0000000..ceb28ef --- /dev/null +++ b/trufflehog/services.env @@ -0,0 +1,20 @@ +APP_ENV=production +APP_PORT=8080 + +DATABASE_URL=postgres://demoapp:Sup3rS3cr3tP@ssword@db.internal.example.com:5432/demoapp_prod +REDIS_URL=redis://:CacheP@ss2024@redis.internal.example.com:6379/0 +MONGO_URL=mongodb://demoapp:Cache_Pa55word!@cache.internal.example.com:27017/demoapp_cache + +AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE +AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY +AWS_REGION=us-east-1 + +DEMOAPP_API_KEY=demoapp_kJ8mN2pQ4rS6tU8vW0xY2zA4bC6dE8fG0hI2jK4l +DEMOAPP_DEPLOY_TOKEN=dpt_a1b2c3d4e5f6789012345678901234ab +INTERNAL_TOKEN=internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41 + +DATADOG_API_KEY=1234567890abcdef1234567890abcdef +DATADOG_APP_KEY=abcdef1234567890abcdef1234567890abcdef12 + +SMTP_PASSWORD=M@ilP@ssword2024 +JWT_SIGNING_SECRET=jwt_signing_secret_super_long_random_value_2024_demoapp