From 1bd561cc834c12b6021aac7ae528b3b8b1f6cb3c Mon Sep 17 00:00:00 2001
From: Claude Code <claude@anthropic.com>
Date: Mon, 7 Jul 2025 20:06:10 -0400
Subject: [PATCH] Improve security check to avoid false positives
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated secret detection to look for actual hardcoded tokens (pk./sk. patterns) rather than environment variable references. This prevents false positives when using process.env.MAPBOX_ACCESS_TOKEN correctly.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .forgejo/workflows/ci.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 957e034..f9cdba1 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -142,11 +142,19 @@ jobs:
       - name: Check for secrets
         run: |
           echo "Checking for potential secrets..."
-          ! find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -l "MAPBOX_ACCESS_TOKEN" || \
-          (echo "❌ Found hardcoded Mapbox token!" && exit 1)
+          # Check for hardcoded Mapbox tokens (pk. or sk. prefixes)
+          if find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "(pk\.|sk\.)[a-zA-Z0-9]{50,}" > /dev/null 2>&1; then
+            echo "❌ Found hardcoded Mapbox token!"
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "(pk\.|sk\.)[a-zA-Z0-9]{50,}"
+            exit 1
+          fi
           
-          ! find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -l "ADMIN_PASSWORD" || \
-          (echo "❌ Found hardcoded admin password!" && exit 1)
+          # Check for hardcoded admin passwords (avoid env var references)
+          if find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "ADMIN_PASSWORD.*=.*['\"][^'\"]*['\"]" > /dev/null 2>&1; then
+            echo "❌ Found hardcoded admin password!"
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "ADMIN_PASSWORD.*=.*['\"][^'\"]*['\"]"
+            exit 1
+          fi
           
           echo "✅ No hardcoded secrets found"