From 23c8deebd20cc04bdb0445a301d4cde1c9d9dfaa Mon Sep 17 00:00:00 2001 From: Dmitry Gusev Date: Sun, 24 May 2026 20:09:23 +0300 Subject: [PATCH] =?UTF-8?q?chore(security):=20.gitignore=20+=20.gitleaks.t?= =?UTF-8?q?oml=20=D0=B7=D0=B0=D1=89=D0=B8=D1=82=D0=B0=20=D0=BE=D1=82=20CMS?= =?UTF-8?q?-export=20leak?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Превентивная защита от случайной публикации content/logs, content/data, ghost.*.json (см. инцидент moovg_ru 2026-05-24). Co-Authored-By: Claude Opus 4.7 --- .gitignore | 12 +++++++++++- .gitleaks.toml | 9 +++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 58bd849..9346951 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,13 @@ +# Security: НЕ коммитить production logs и CMS data exports +# (могут содержать API keys, JWT, private_key). См. инцидент 2026-05-24. +content/logs/ +content/data/ +*.production.log +*.production.log.* +ghost.json +ghost.*.json +*.ghost.*.json + # build output dist/ .astro/ @@ -21,4 +31,4 @@ pnpm-debug.log* .DS_Store # jetbrains setting folder -.idea/ +.idea/ \ No newline at end of file diff --git a/.gitleaks.toml b/.gitleaks.toml index fa99dcc..6bbde1c 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -29,6 +29,15 @@ paths = [ '''.*\.min\.(js|css)$''', '''dist/.*''', '''build/.*''', + + # Защита на случай возврата CMS exports / production logs в репо + # (см. инцидент 2026-05-24 с Ghost ghost_private_key + members_private_key). + # Сами файлы УЖЕ удалены из history через git filter-repo, allowlist — + # дополнительная защита для будущих commit'ов. + '''content/logs/.*''', + '''content/data/.*''', + '''.*\.production\.log(\.[0-9]+)?$''', + '''.*\.ghost\..*\.json$''', ] # Конкретные паттерны, которые false-positive