review: D6 leak scan extended to recipe-CI build logs — clean (no app-secret leak)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
10
REVIEW.md
10
REVIEW.md
@ -226,3 +226,13 @@ running bridge + Drone:
|
|||||||
Verdict: **M3 PASS.** (Polling is outbound read+comment only — no repo-admin; webhook optional.)
|
Verdict: **M3 PASS.** (Polling is outbound read+comment only — no repo-admin; webhook optional.)
|
||||||
Note: full bridge→3-stage-recipe-CI E2E on a *real recipe* PR is the Builder's in-flight
|
Note: full bridge→3-stage-recipe-CI E2E on a *real recipe* PR is the Builder's in-flight
|
||||||
integration item / D10 — build 35 shows the pipeline wiring works; green-on-a-real-recipe is M10.
|
integration item / D10 — build 35 shows the pipeline wiring works; green-on-a-real-recipe is M10.
|
||||||
|
|
||||||
|
## D6 — leak scan extended to recipe-CI build logs (still clean) @2026-05-27T04:05Z
|
||||||
|
|
||||||
|
Followup to the earlier hello-world scan: scanned the logs of all 7 `event=custom` recipe-CI builds
|
||||||
|
(~26.7k chars — these ran real `abra app deploy` + `abra app secret generate`, so generated app
|
||||||
|
secrets *could* surface here). Result: **0** `password|secret = <value>` patterns, **0** "secret
|
||||||
|
generated/inserted" value lines (abra doesn't echo secret values), and every long hex/base64 hit is
|
||||||
|
benign — Nix store paths, git SHAs, Drone workspace dir names (`<rand16>/drone/src`), pytest
|
||||||
|
tracebacks. No app-secret leak in published recipe-run logs. (Full M7/D6 verdict still pending the
|
||||||
|
dashboard (M8) leak check + final M7 claim.)
|
||||||
|
|||||||
Reference in New Issue
Block a user