#!/usr/bin/env bash # Security verification script for Finance Bot # Checks that no hardcoded credentials exist in the codebase set -e echo "🔐 Finance Bot - Security Verification" echo "======================================" echo "" RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color failed=0 passed=0 # Test 1: Check for hardcoded bot tokens (pattern: digits:letters) echo "1️⃣ Checking for hardcoded bot tokens..." if grep -r ":\s*[0-9]\{10\}:[A-Za-z0-9_-]\{20,\}" app/ --include="*.py" 2>/dev/null || true | grep -q . ; then echo -e "${RED} ❌ FAILED: Found potential hardcoded tokens${NC}" failed=$((failed + 1)) else echo -e "${GREEN} ✅ PASSED: No hardcoded tokens found${NC}" passed=$((passed + 1)) fi # Test 2: Check for hardcoded database passwords echo "2️⃣ Checking for hardcoded database passwords..." if grep -r "finance_pass\|postgres://.*:.*@" app/ --include="*.py" 2>/dev/null | grep -v "\.pyc" || true | grep -q . ; then echo -e "${RED} ❌ FAILED: Found potential hardcoded passwords${NC}" failed=$((failed + 1)) else echo -e "${GREEN} ✅ PASSED: No hardcoded passwords found${NC}" passed=$((passed + 1)) fi # Test 3: Check docker-compose for hardcoded passwords echo "3️⃣ Checking docker-compose.yml for hardcoded passwords..." if grep "password:\|PASSWORD:" docker-compose.yml | grep -v "\${" | grep -q . 2>/dev/null; then echo -e "${RED} ❌ FAILED: Found hardcoded passwords in docker-compose.yml${NC}" failed=$((failed + 1)) else echo -e "${GREEN} ✅ PASSED: docker-compose.yml uses environment variables${NC}" passed=$((passed + 1)) fi # Test 4: Check docker-compose for hardcoded credentials echo "4️⃣ Checking docker-compose.yml for hardcoded credentials..." if grep -E "finance_pass|finance_user.*:.*password" docker-compose.yml 2>/dev/null || true | grep -v "\${" | grep -q . ; then echo -e "${RED} ❌ FAILED: Found hardcoded credentials in docker-compose.yml${NC}" failed=$((failed + 1)) else echo -e "${GREEN} ✅ PASSED: No hardcoded credentials found${NC}" passed=$((passed + 1)) fi # Test 5: Check that .env is in .gitignore echo "5️⃣ Checking .gitignore for .env..." if grep -q "^\.env$" .gitignore 2>/dev/null; then echo -e "${GREEN} ✅ PASSED: .env is properly ignored${NC}" passed=$((passed + 1)) else echo -e "${RED} ❌ FAILED: .env is not in .gitignore${NC}" failed=$((failed + 1)) fi # Test 6: Check that .env.example exists echo "6️⃣ Checking for .env.example..." if [ -f ".env.example" ]; then echo -e "${GREEN} ✅ PASSED: .env.example exists${NC}" passed=$((passed + 1)) else echo -e "${RED} ❌ FAILED: .env.example not found${NC}" failed=$((failed + 1)) fi # Test 7: Check that .env.example has no real credentials echo "7️⃣ Checking .env.example for real credentials..." if grep -E "[0-9]{10}:[A-Za-z0-9_-]{20,}" .env.example 2>/dev/null || true | grep -q . ; then echo -e "${RED} ❌ FAILED: .env.example contains real credentials${NC}" failed=$((failed + 1)) else echo -e "${GREEN} ✅ PASSED: .env.example contains only placeholders${NC}" passed=$((passed + 1)) fi # Test 8: Check for common secret patterns in Python echo "8️⃣ Checking Python files for secret patterns..." SECRETS=$(grep -r "api_key\|api_secret\|auth_token\|access_token" app/ --include="*.py" 2>/dev/null | grep -v "def \|#\|settings\.|param\|Args\|Returns" | wc -l) if [ "$SECRETS" -gt 0 ]; then echo -e "${RED} ❌ FAILED: Found potential hardcoded secrets${NC}" failed=$((failed + 1)) else echo -e "${GREEN} ✅ PASSED: No hardcoded secrets found${NC}" passed=$((passed + 1)) fi # Summary echo "" echo "======================================" echo "Summary:" echo -e " ${GREEN}✅ Passed: $passed${NC}" echo -e " ${RED}❌ Failed: $failed${NC}" echo "" if [ $failed -eq 0 ]; then echo -e "${GREEN}✅ All security checks passed!${NC}" echo "" echo "✨ Your application is secure and ready for deployment." exit 0 else echo -e "${RED}⚠️ Security issues found! Please fix them before deployment.${NC}" exit 1 fi