From 426b8edab58d020a78f05fba9d79722e699fdf72 Mon Sep 17 00:00:00 2001 From: Maximum-Prosper <180036921+Maximum-Prosper@users.noreply.github.com> Date: Sun, 31 May 2026 01:50:15 +0100 Subject: [PATCH] chore(security): document trufflehog audit --- .env.example | 5 +++ docker-compose.yml | 8 ++--- docs/security/trufflehog-audit-2026-05-31.md | 36 ++++++++++++++++++++ 3 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 .env.example create mode 100644 docs/security/trufflehog-audit-2026-05-31.md diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..d9edc44 --- /dev/null +++ b/.env.example @@ -0,0 +1,5 @@ +# AnchorPoint local Docker Compose configuration + +POSTGRES_USER=anchorpoint +POSTGRES_PASSWORD=replace-with-a-strong-local-password +POSTGRES_DB=anchorpoint diff --git a/docker-compose.yml b/docker-compose.yml index 02a26e3..8e0cbab 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,9 +7,9 @@ services: ports: - "5432:5432" environment: - - POSTGRES_USER=anchorpoint - - POSTGRES_PASSWORD=anchorpoint - - POSTGRES_DB=anchorpoint + - POSTGRES_USER=${POSTGRES_USER:-anchorpoint} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in your local environment or .env file} + - POSTGRES_DB=${POSTGRES_DB:-anchorpoint} volumes: - postgres-data:/var/lib/postgresql/data healthcheck: @@ -33,7 +33,7 @@ services: environment: - NODE_ENV=production - PORT=3002 - - DATABASE_URL=postgresql://anchorpoint:anchorpoint@postgres:5432/anchorpoint + - DATABASE_URL=postgresql://${POSTGRES_USER:-anchorpoint}:${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in your local environment or .env file}@postgres:5432/${POSTGRES_DB:-anchorpoint} - REDIS_URL=redis://redis:6379 - JAEGER_ENDPOINT=http://jaeger:14268/api/traces - PROMETHEUS_METRICS_PORT=9464 diff --git a/docs/security/trufflehog-audit-2026-05-31.md b/docs/security/trufflehog-audit-2026-05-31.md new file mode 100644 index 0000000..b9e2ebc --- /dev/null +++ b/docs/security/trufflehog-audit-2026-05-31.md @@ -0,0 +1,36 @@ +# TruffleHog Secret Scan Audit - 2026-05-31 + +## Scope + +- Repository: `AnchorPoint` +- Issue: `#438` - Review codebase for exposed secrets (TruffleHog) +- Tool: TruffleHog `3.95.3` +- Scans: + - `trufflehog filesystem --json --no-update .` + - `trufflehog git --json --no-update file:///Users/DONALD/Desktop/Prosper%20space/AnchorPoint` + +## Initial Findings + +- Current filesystem scan verified secrets: `0` +- Current filesystem scan unverified findings before remediation: `1` +- Git history scan verified secrets: `0` +- Git history scan unverified findings: `1` +- Detector: `Postgres` +- Location: `docker-compose.yml` + +The finding was a hardcoded local PostgreSQL credential embedded in the Docker Compose database URL. It was not verified as a live secret, but it still trained deployments toward committed credentials. + +## Remediation + +- Replaced hardcoded Docker Compose database credentials with environment variable interpolation. +- Added a root `.env.example` with non-secret placeholders for local Compose setup. +- Kept real `.env` files ignored by Git. + +## Validation + +After remediation: + +- `trufflehog filesystem --json --no-update .` reported `0` verified and `0` unverified findings in the current working tree. +- `trufflehog git --json --no-update file:///Users/DONALD/Desktop/Prosper%20space/AnchorPoint` reported `0` verified findings and retained `1` unverified historical Postgres finding from commit `c9221b3808e38dee54559fec266c5bdf7f19453a`. + +No history rewrite was performed because the historical finding is an unverified local-development credential, not a verified live secret.