From f1babff8a0dcbcc84412a58b47645652424168e0 Mon Sep 17 00:00:00 2001 From: Sebastian Dimunzio Date: Fri, 24 Apr 2026 11:21:00 -0300 Subject: [PATCH 1/3] refactor: remove Gitleaks, clean up entrypoint scripts, and update formatting in docker-compose.yml --- .gitignore | 1 + .gitleaks.toml | 27 --------------------------- .pre-commit-config.yaml | 12 ------------ docker-compose.yml | 13 +++---------- entrypoint.sh | 2 +- gitleaks-report.json | 1 - superset-proxy/entrypoint.sh | 14 +++++++------- 7 files changed, 12 insertions(+), 58 deletions(-) delete mode 100644 .gitleaks.toml delete mode 100644 .pre-commit-config.yaml delete mode 100644 gitleaks-report.json diff --git a/.gitignore b/.gitignore index 612027a7..16ec9cb6 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ target ***REMOVED*** Secret purge script and artifacts purge-secrets.sh replacements.txt +.vscode \ No newline at end of file diff --git a/.gitleaks.toml b/.gitleaks.toml deleted file mode 100644 index 9a87b38a..00000000 --- a/.gitleaks.toml +++ /dev/null @@ -1,27 +0,0 @@ -***REMOVED*** Gitleaks configuration -***REMOVED*** See: https://github.com/gitleaks/gitleaks/tree/master***REMOVED***configuration - -title = "data-viz-api gitleaks config" - -[extend] -***REMOVED*** Extend the default ruleset -useDefault = true - -[[allowlists]] -description = "Allow Spring env-var fallback placeholders (not real secrets)" -regexes = [ - ***REMOVED*** Matches patterns like ${VAR_NAME:some-default-value} - '''\$\{[A-Z_]+:[^}]+\}''', - ***REMOVED*** Matches Docker Compose variable syntax ${VAR:-default} - '''\$\{[A-Z_]+:-[^}]+\}''', -] - -[[allowlists]] -description = "Allow placeholder values explicitly set to NONE or example values" -regexes = [ - '''google\.cloud\.key=NONE''', - '''google\.translation\.app=NONE''', - '''your-superset-instance\.example\.com''', - '''change-me-in-production''', - '''dev-only-jwt-secret''', -] diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 01ef0612..00000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,12 +0,0 @@ -***REMOVED*** Pre-commit hook configuration -***REMOVED*** Install: pip install pre-commit && pre-commit install -***REMOVED*** See: https://pre-commit.com - -repos: - - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.2 - hooks: - - id: gitleaks - name: Detect secrets with Gitleaks - description: Prevent committing secrets and credentials - args: ["--config=.gitleaks.toml"] diff --git a/docker-compose.yml b/docker-compose.yml index 9e8dc92b..ea86ba72 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ services: image: postgres:16.8 environment: POSTGRES_USER: postgres - ***REMOVED*** SECURITY: Override with a strong password in production via POSTGRES_PASSWORD env var + # REMOVED*** SECURITY: Override with a strong password in production via POSTGRES_PASSWORD env var POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-admin} POSTGRES_DB: viz ports: @@ -16,7 +16,6 @@ services: networks: backend-api: - eureka: build: context: ./registry @@ -36,15 +35,13 @@ services: networks: backend-api: - api-gateway: build: context: ./api-gateway dockerfile: Dockerfile environment: SPRING_DATASOURCE_URL: "jdbc:postgresql://postgres:5432/viz" - SPRING_DATASOURCE_USERNAME: "postgres" - ***REMOVED*** SECURITY: Override with a strong password via SPRING_DATASOURCE_PASSWORD env var in production + SPRING_DATASOURCE_USERNAME: "postgres" # SECURITY: Override with a strong password via SPRING_DATASOURCE_PASSWORD env var in production SPRING_DATASOURCE_PASSWORD: ${SPRING_DATASOURCE_PASSWORD:-admin} JAVA_OPTS: "-Xmx512m -Xms512m -XX:+UseG1GC -XX:InitialHeapSize=512m -XX:MaxHeapSize=512m -XX:+ParallelRefProcEnabled" ports: @@ -55,7 +52,6 @@ services: networks: backend-api: - api-security: build: context: ./api-security @@ -71,7 +67,6 @@ services: networks: backend-api: - superset-proxy: build: context: ./superset-proxy @@ -88,7 +83,7 @@ services: SPRING_APPLICATION_NAME: "superset-proxy" SPRING_DATA_REDIS_HOST: "cache" SPRING_DATA_REDIS_PORT: "6379" - ***REMOVED*** SECURITY: Override with a strong password via SPRING_DATA_REDIS_PASSWORD env var in production + #SECURITY: Override with a strong password via SPRING_DATA_REDIS_PASSWORD env var in production SPRING_DATA_REDIS_PASSWORD: ${SPRING_DATA_REDIS_PASSWORD:-admin} SPRING_DATA_CACHE_TYPE: "redis" ports: @@ -100,7 +95,6 @@ services: networks: backend-api: - cache: image: redis:6.2-alpine restart: always @@ -115,6 +109,5 @@ services: volumes: cache: - networks: backend-api: diff --git a/entrypoint.sh b/entrypoint.sh index 7e3d3cf6..830c6c5e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -***REMOVED***!/bin/bash +#!/bin/bash PROP_FILE="/etc/$1.properties" truncate -s 0 $PROP_FILE diff --git a/gitleaks-report.json b/gitleaks-report.json deleted file mode 100644 index fe51488c..00000000 --- a/gitleaks-report.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/superset-proxy/entrypoint.sh b/superset-proxy/entrypoint.sh index 11eef8b6..b9d1a370 100755 --- a/superset-proxy/entrypoint.sh +++ b/superset-proxy/entrypoint.sh @@ -1,4 +1,4 @@ -***REMOVED***!/bin/bash +#!/bin/bash PROP_FILE="/etc/$1.properties" truncate -s 0 $PROP_FILE @@ -13,15 +13,15 @@ to_camel_case() { local output="" IFS='/' read -ra parts <<< "$input" output="${parts[0]}" - for ((i=1; i<${***REMOVED***parts[@]}; i++)); do + for ((i=1; i<${#parts[@]}; i++)); do part="${parts[i]}" output+="${part^}" done echo "$output" } - ***REMOVED***EUREKA_CLIENT_SERVICE/URL_DEFAULT/ZONE - ***REMOVED***eureka.client.serviceUrl.defaultZone + #EUREKA_CLIENT_SERVICE/URL_DEFAULT/ZONE + #eureka.client.serviceUrl.defaultZone while IFS='=' read -r -d '' n v; do if [[ $n == SPRING_* || $n == EUREKA_* ]]; then @@ -60,9 +60,9 @@ to_camel_case() { echo 'server.compression.enabled=true' >> $PROP_FILE - echo '***REMOVED*** ======================================== - ***REMOVED*** GZIP Compression Settings for Spring Boot - ***REMOVED*** ======================================== + echo '# ======================================== + # GZIP Compression Settings for Spring Boot + # ======================================== server.compression.enabled=true server.compression.mime-types=application/json,application/xml,text/html,text/xml,text/plain server.compression.min-response-size=1024 From 966cc7fedb067bd4f4e2ca7e13ff0177b2c46765 Mon Sep 17 00:00:00 2001 From: Sebastian Dimunzio Date: Fri, 24 Apr 2026 11:29:52 -0300 Subject: [PATCH 2/3] chore: add Copilot instructions for security and compliance and remove Gitleaks secret scanning workflow --- .github/workflows/secret-scan.yml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .github/workflows/secret-scan.yml diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml deleted file mode 100644 index 74b42063..00000000 --- a/.github/workflows/secret-scan.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Secret Scan - -on: - push: - branches: ["**"] - pull_request: - branches: ["**"] - -jobs: - gitleaks: - name: Detect Secrets (Gitleaks) - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Run Gitleaks - uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 52001a1d323fc5cd02503ffb63acabca2148ba84 Mon Sep 17 00:00:00 2001 From: Sebastian Dimunzio Date: Fri, 24 Apr 2026 11:29:58 -0300 Subject: [PATCH 3/3] feat: add copilot instructions for security, PII, and license compliance review --- .github/copilot-instructions.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/copilot-instructions.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 00000000..a9d5bb60 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,12 @@ +Base Behavior +Continue to perform your standard code review, summarization, and bug detection as usual. +Do not suppress your default helpful observations or summaries. + +Sensitive data review + Flag and require review and possible removal, whenever you detect PII, passwords, keys, potential client/private data, and/or related sensitive data committed to the repository. + +Dependencies license review + Flag and require review and possible removal or replace with alternatives, whenever you detect directly added licensed code or dependency libraries being imported through dependency managers (maven, npm, pip, etc), that are not in line with the current repository license terms, as saved in the LICENSE file in the project root. For this particular repository, the license being used right now is Apache License Version 2.0. Flag any dependency and/or code imported or used, that is licensed with a commercial license, as particularly high risk. Flag any AGPL or similar strong copyleft licenses as very hi risk. Only open source licenses are allowed that are not strong copyleft. Flag dependencies with missing/unknown licenses. + +Security Review + Perform a review of potential issues exposing vulnerabilities in code that can be easily exploited by third parties, if they have access to this repository source code - unprotected endpoints or ports, simple default passwords, unsafe authentication methods, unencrypted communication, etc.