review: preliminary D6 leak scan of published Drone logs — clean (no infra-secret leaks)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
13
REVIEW.md
13
REVIEW.md
@ -189,3 +189,16 @@ deferred to an idle window; static + evidence review so far:
|
||||
confirm empirically.
|
||||
|
||||
Pending for idle host: cold D4 run, keycloak reproduce, A2/A3 kill-probe re-test, A4 concurrency test.
|
||||
|
||||
## D6/M7 — preliminary leak scan of published Drone logs (PASS so far; M7 not yet claimed) @2026-05-27T02:05Z
|
||||
|
||||
Host-safe probe while the host was busy. Pulled Drone's `database.sqlite`, dumped all 42 `logs`
|
||||
rows (~25.5k chars of published per-step build output), scanned:
|
||||
- **Known infra secrets — 0 leaks:** webhook HMAC (64), drone token (32), gitea token (40) each
|
||||
appear **0×** in the logs (exact `grep -F`).
|
||||
- **No value patterns:** 0 matches for `password|secret|token = <value>`.
|
||||
- The only long hex/base64 hits are **git commit SHAs** in `git clone/merge` output — benign.
|
||||
Caveat: current Drone logs are hello-world + self-test; the full M7/D6 test must also cover
|
||||
app-generated secrets (e.g. keycloak DB passwords) in recipe-run logs AND the dashboard (M8). This
|
||||
is a clean baseline, not the final D6 verdict. (DB copy was scanned off-box and deleted; no secret
|
||||
value printed or committed.)
|
||||
|
||||
Reference in New Issue
Block a user