security(avow-protocol): remove leaked Cloudflare API token + harden scanner#161
Merged
Merged
Conversation
…scanner A real Cloudflare API token was hardcoded at avow-protocol/deploy-repos.sh:5 in commit 5f2f8b2 (2026-05-18) and reported externally on 2026-05-21. Changes: - deploy-repos.sh: source CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID from env with hard-fail if unset (matches the pattern already used in avow-protocol/deploy-cloudflare.sh:60-72). - DEPLOYMENT-SUCCESS.md: redact the account ID from the public doc. - secret-scanner.yml: add a shell-secrets job (mirrors rust-secrets). The existing trufflehog --only-verified + gitleaks defaults both missed this leak at PR time; the new grep-based job would have caught it (self-tested). Owner actions (out of band, not in this PR): 1. Rotate / delete the leaked token at Cloudflare → API Tokens (token id 689fa59a165c47cc61095d984c453205) — repo is public so the secret should be considered burned regardless of history rewrite. 2. History rewrite + force-push affected branches (tracked separately). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 101 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
avow-protocol/deploy-repos.sh:5(committed in5f2f8b2on 2026-05-18, reported externally on 2026-05-21).CLOUDFLARE_API_TOKEN/CLOUDFLARE_ACCOUNT_IDfrom env with a hard-fail if unset — same pattern used inavow-protocol/deploy-cloudflare.sh.DEPLOYMENT-SUCCESS.md.shell-secretsjob tosecret-scanner.yml(mirrors the existingrust-secretsjob). The existingtrufflehog --only-verified+gitleaks-actiondefaults both missed this leak at PR time; the new grep-based job would have caught it (self-tested locally).Owner action required (out of band, not in this PR)
689fa59a165c47cc61095d984c453205. The repo is public; assume the secret is burned regardless of any history rewrite.5f2f8b2— being tracked separately in the session that opened this PR. Affected refs:main,chore/standards-67-68-enforcement-docs,feat/spark-theatre-gate-135,fix/ssh-remote-enforcement,licence-debt/{07-spdx-value-normalise,a8-owner-carveouts,batch-a-policy-addendum,restore-a6-a7},licensing/canonicalize-constitution,nix-retirement-closure-102.Test plan
shell-secretsjob runs and passes on the cleaned treetrufflehogandgitleaksjobs continue to passGenerated with Claude Code