From 38dcdc77501c76c9e121044bcbf940344c335caa Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 02:05:24 +0100 Subject: [PATCH] =?UTF-8?q?review:=20preliminary=20D6=20leak=20scan=20of?= =?UTF-8?q?=20published=20Drone=20logs=20=E2=80=94=20clean=20(no=20infra-s?= =?UTF-8?q?ecret=20leaks)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- REVIEW.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/REVIEW.md b/REVIEW.md index 4a273f7..6a46446 100644 --- a/REVIEW.md +++ b/REVIEW.md @@ -189,3 +189,16 @@ deferred to an idle window; static + evidence review so far: confirm empirically. Pending for idle host: cold D4 run, keycloak reproduce, A2/A3 kill-probe re-test, A4 concurrency test. + +## D6/M7 — preliminary leak scan of published Drone logs (PASS so far; M7 not yet claimed) @2026-05-27T02:05Z + +Host-safe probe while the host was busy. Pulled Drone's `database.sqlite`, dumped all 42 `logs` +rows (~25.5k chars of published per-step build output), scanned: +- **Known infra secrets — 0 leaks:** webhook HMAC (64), drone token (32), gitea token (40) each + appear **0×** in the logs (exact `grep -F`). +- **No value patterns:** 0 matches for `password|secret|token = `. +- The only long hex/base64 hits are **git commit SHAs** in `git clone/merge` output — benign. +Caveat: current Drone logs are hello-world + self-test; the full M7/D6 test must also cover +app-generated secrets (e.g. keycloak DB passwords) in recipe-run logs AND the dashboard (M8). This +is a clean baseline, not the final D6 verdict. (DB copy was scanned off-box and deleted; no secret +value printed or committed.)