wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
main
awoooi/docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Details
Code Review / ai-code-review (push) Successful in 12s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m31s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
Details
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

1260 lines
35 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_workflow_secret_name_local_evidence_v1",
"status": "draft_partial_local_evidence",
"date": "2026-06-11",
"mode": "local_read_only_redacted_inventory",
"runtime_execution_authorized": false,
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"summary": {
"candidate_repo_count": 10,
"local_repo_visible_count": 9,
"local_evidence_repo_count": 5,
"workflow_file_count": 33,
"gitea_workflow_file_count": 12,
"github_workflow_file_count": 21,
"codeowners_file_count": 2,
"unique_secret_name_count": 42,
"runner_label_count": 5,
"secret_value_collection_allowed": false,
"secret_value_detected": false,
"runtime_actions_authorized": false,
"action_buttons_allowed": false
},
"unique_secret_names": [
"ARGOCD_API_TOKEN",
"AWOOOI_GITEA_API_TOKEN",
"AWOOOI_GITEA_WEBHOOK_SECRET",
"AWOOOP_OPERATOR_API_KEY",
"CD_PUSH_TOKEN",
"CLAUDE_API_KEY",
"CODECOV_TOKEN",
"DATABASE_URL",
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"GITEA_MIRROR_TOKEN",
"GITHUB_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"HARBOR_USERNAME",
"INTERNAL_WEBHOOK_TOKEN",
"JWT_ALGORITHM",
"JWT_SECRET",
"KUBE_CONFIG_PREVIEW",
"KUBE_CONFIG_PROD",
"KUBE_CONFIG_PRODUCTION",
"KUBE_CONFIG_STAGING",
"LANGFUSE_PUBLIC_KEY",
"LANGFUSE_SECRET_KEY",
"MIGRATION_DATABASE_URL",
"NEMOTRON_BOT_TOKEN",
"NVIDIA_API_KEY",
"OPENCLAW_BOT_TOKEN",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"OPENCLAW_TG_USER_WHITELIST",
"REDIS_URL",
"RUNNER_ADMIN_TOKEN",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"SMTP_HOST",
"SRE_GROUP_CHAT_ID",
"STAGING_API_URL",
"STAGING_FRONTEND_URL",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
],
"runner_label_names": [
"awoooi-host",
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"repos": [
{
"repo_key": "awoooi",
"repo_path": "/private/tmp/awoooi-agent-bounty-iwooos-20260611",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"risk": "HIGH",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/agent-market-watch.yaml",
"workflow_display_name": "Agent Market Watch",
"trigger_names": [
"schedule",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/ansible-lint.yml",
"workflow_display_name": "Ansible Lint",
"trigger_names": [
"paths",
"pull_request",
"push"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/cd-dev.yaml",
"workflow_display_name": "CD Pipeline (Dev)",
"trigger_names": [
"branches",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"HARBOR_PASSWORD",
"HARBOR_USERNAME",
"NVIDIA_API_KEY",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/cd.yaml",
"workflow_display_name": "CD Pipeline",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"awoooi-host"
],
"environment_names": [],
"referenced_secret_names": [
"ARGOCD_API_TOKEN",
"AWOOOI_GITEA_API_TOKEN",
"AWOOOI_GITEA_WEBHOOK_SECRET",
"AWOOOP_OPERATOR_API_KEY",
"CD_PUSH_TOKEN",
"CLAUDE_API_KEY",
"DATABASE_URL",
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"HARBOR_PASSWORD",
"HARBOR_USERNAME",
"JWT_ALGORITHM",
"JWT_SECRET",
"LANGFUSE_PUBLIC_KEY",
"LANGFUSE_SECRET_KEY",
"MIGRATION_DATABASE_URL",
"NEMOTRON_BOT_TOKEN",
"NVIDIA_API_KEY",
"OPENCLAW_BOT_TOKEN",
"OPENCLAW_TG_USER_WHITELIST",
"REDIS_URL",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"SMTP_HOST",
"SRE_GROUP_CHAT_ID",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/code-review.yaml",
"workflow_display_name": "Code Review",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/deploy-alerts.yaml",
"workflow_display_name": "Deploy Alert Rules",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"TELEGRAM_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/e2e-health.yaml",
"workflow_display_name": "E2E Health Check",
"trigger_names": [
"schedule",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"AWOOOP_OPERATOR_API_KEY",
"OPENCLAW_TG_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/run-migration.yml",
"workflow_display_name": "run-migration",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DATABASE_URL",
"MIGRATION_DATABASE_URL",
"TELEGRAM_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/type-sync-check.yaml",
"workflow_display_name": "Type Sync Check",
"trigger_names": [
"branches",
"paths",
"pull_request",
"push"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/cd.yaml",
"workflow_display_name": "CD",
"trigger_names": [
"default",
"description",
"force_deploy",
"inputs",
"skip_api",
"skip_web",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [
"production"
],
"referenced_secret_names": [
"CLAUDE_API_KEY",
"DATABASE_URL",
"GEMINI_API_KEY",
"GITEA_MIRROR_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"KUBE_CONFIG_PROD",
"NVIDIA_API_KEY",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"REDIS_URL",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"WEBHOOK_HMAC_SECRET"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/ci.yaml",
"workflow_display_name": "CI",
"trigger_names": [
"branches",
"pull_request",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"CODECOV_TOKEN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/daily-e2e-health.yaml",
"workflow_display_name": "Daily E2E Health Check",
"trigger_names": [
"api_url",
"default",
"description",
"dry_run",
"inputs",
"options",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/deploy-prod.yml",
"workflow_display_name": "Deploy to Production",
"trigger_names": [
"default",
"deploy_api",
"deploy_web",
"deploy_worker",
"description",
"inputs",
"required",
"skip_tests",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/nightly-llm.yaml",
"workflow_display_name": "Nightly LLM Tests",
"trigger_names": [
"default",
"description",
"inputs",
"required",
"schedule",
"timeout",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/runner-healthcheck.yml",
"workflow_display_name": "Runner Health Check",
"trigger_names": [
"default",
"description",
"inputs",
"notify_telegram",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
}
],
"codeowners_files": [],
"referenced_secret_names": [
"ARGOCD_API_TOKEN",
"AWOOOI_GITEA_API_TOKEN",
"AWOOOI_GITEA_WEBHOOK_SECRET",
"AWOOOP_OPERATOR_API_KEY",
"CD_PUSH_TOKEN",
"CLAUDE_API_KEY",
"CODECOV_TOKEN",
"DATABASE_URL",
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"GITEA_MIRROR_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"HARBOR_USERNAME",
"JWT_ALGORITHM",
"JWT_SECRET",
"KUBE_CONFIG_PROD",
"LANGFUSE_PUBLIC_KEY",
"LANGFUSE_SECRET_KEY",
"MIGRATION_DATABASE_URL",
"NEMOTRON_BOT_TOKEN",
"NVIDIA_API_KEY",
"OPENCLAW_BOT_TOKEN",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"OPENCLAW_TG_USER_WHITELIST",
"REDIS_URL",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"SMTP_HOST",
"SRE_GROUP_CHAT_ID",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
],
"runner_label_names": [
"awoooi-host",
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"environment_names": [
"production"
],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "clawbot-v5",
"repo_path": "/Users/ogt/clawbot-v5",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "local_repo_visible_no_workflow_files",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "wooo-aiops",
"repo_path": "/Users/ogt/wooo-aiops",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/deploy-uat.yaml",
"workflow_display_name": "Deploy to UAT",
"trigger_names": [
"branches",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/cd.yaml",
"workflow_display_name": "CD Pipeline",
"trigger_names": [
"description",
"environment",
"inputs",
"options",
"release",
"required",
"type",
"types",
"version",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [
"description: \"Target environment\"",
"name: production",
"staging"
],
"referenced_secret_names": [
"GITHUB_TOKEN",
"KUBE_CONFIG_PRODUCTION",
"KUBE_CONFIG_STAGING",
"STAGING_API_URL",
"STAGING_FRONTEND_URL"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/ci.yml",
"workflow_display_name": "WOOO AIOps CI/CD (v4.1 Native BuildKit + ClawBot 告警)",
"trigger_names": [
"branches",
"default",
"description",
"force_deploy",
"inputs",
"push",
"required",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER",
"SENTRY_DSN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/clawbot-build.yml",
"workflow_display_name": "ClawBot Build & Push",
"trigger_names": [
"default",
"deploy_to_188",
"description",
"inputs",
"required",
"tag_suffix",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/clear-cache.yml",
"workflow_display_name": "🧹 Clear Next.js Cache (Panic Button)",
"trigger_names": [
"confirm",
"default",
"description",
"inputs",
"required",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/deploy.yml",
"workflow_display_name": "Deploy to K3s",
"trigger_names": [
"default",
"description",
"environment",
"inputs",
"options",
"required",
"skip_tests",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [
"description: 'Deployment environment'"
],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/fast-deploy-uat.yml",
"workflow_display_name": "🚀 Fast Deploy to UAT",
"trigger_names": [
"default",
"description",
"inputs",
"reason",
"required",
"skip_api",
"skip_frontend",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"SENTRY_DSN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/pr-check.yml",
"workflow_display_name": "PR Check",
"trigger_names": [
"pull_request",
"types"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"GITHUB_TOKEN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/preview.yml",
"workflow_display_name": "PR Preview Environment",
"trigger_names": [
"pull_request",
"types"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"KUBE_CONFIG_PREVIEW"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/rollback.yml",
"workflow_display_name": "🔄 Emergency Rollback (OPS.71)",
"trigger_names": [
"confirm",
"default",
"description",
"inputs",
"options",
"required",
"service",
"target_version",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/runner-healthcheck.yml",
"workflow_display_name": "Runner Health Check",
"trigger_names": [
"default",
"description",
"inputs",
"notify_telegram",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"GITHUB_TOKEN",
"RUNNER_ADMIN_TOKEN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/scheduled-build.yml",
"workflow_display_name": "Scheduled Snapshot Build",
"trigger_names": [
"default",
"description",
"force_build",
"inputs",
"required",
"schedule",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/usage-monitor.yml",
"workflow_display_name": "📊 GitHub Actions Usage Monitor",
"trigger_names": [
"default",
"description",
"force_alert",
"inputs",
"required",
"schedule",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"GITHUB_TOKEN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/version-audit.yml",
"workflow_display_name": "🔍 Version Drift Audit",
"trigger_names": [
"default",
"description",
"force_alert",
"inputs",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
}
],
"codeowners_files": [
{
"codeowners_path": "CODEOWNERS",
"owner_tokens": [
"@CIO",
"@CISO",
"@CPO",
"@CTO"
],
"owner_token_count": 4
},
{
"codeowners_path": ".github/CODEOWNERS",
"owner_tokens": [
"@owenhytsai"
],
"owner_token_count": 1
}
],
"referenced_secret_names": [
"GITHUB_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"KUBE_CONFIG_PREVIEW",
"KUBE_CONFIG_PRODUCTION",
"KUBE_CONFIG_STAGING",
"RUNNER_ADMIN_TOKEN",
"SENTRY_DSN",
"STAGING_API_URL",
"STAGING_FRONTEND_URL",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"environment_names": [
"description: \"Target environment\"",
"description: 'Deployment environment'",
"name: production",
"staging"
],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "wooo-infra-config",
"repo_path": "/Users/ogt/wooo-infra-config",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "github",
"workflow_file_path": ".github/workflows/validate.yml",
"workflow_display_name": "Validate Configs",
"trigger_names": [
"branches",
"pull_request",
"push"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
}
],
"codeowners_files": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "ewoooc-momo",
"repo_path": "/Users/ogt/momo-pro-system",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system",
"scope_status": "in_scope",
"risk": "HIGH",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/cd.yaml",
"workflow_display_name": "CD Pipeline",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"INTERNAL_WEBHOOK_TOKEN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/code-review.yml",
"workflow_display_name": "Aider Code Review",
"trigger_names": [
"branches",
"default",
"description",
"inputs",
"options",
"pull_request",
"push",
"required",
"review_type",
"target_files",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
}
],
"codeowners_files": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"INTERNAL_WEBHOOK_TOKEN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "bitan-pharmacy",
"repo_path": "/Users/ogt/bitan-pharmacy",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "local_repo_visible_no_workflow_files",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "tsenyang-website",
"repo_path": "/Users/ogt/tsenyang-website",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "local_repo_visible_no_workflow_files",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "open-design",
"repo_path": "/Users/ogt/open-design",
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"risk": "LOW",
"local_status": "missing_local_repo",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "vibework",
"repo_path": "/Users/ogt/Documents/VibeWork",
"github_repo": "owenhytsai/VibeWork",
"source_key": "vibework",
"scope_status": "in_scope",
"risk": "HIGH",
"local_status": "local_repo_visible_no_workflow_files",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "agent-bounty-protocol",
"repo_path": "/Users/ogt/Documents/agent-bounty-protocol",
"github_repo": "owenhytsai/agent-bounty-protocol",
"source_key": "agent-bounty-protocol",
"scope_status": "in_scope",
"risk": "HIGH",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/deploy.yml",
"workflow_display_name": "CI and Production Smoke",
"trigger_names": [
"branches",
"push"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
}
],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
}
],
"redaction_rules": [
"只保存 workflow 內引用的 secret 名稱,不保存 secret value。",
"不讀取 .env、secrets、private key、runner registration token 或 webhook secret。",
"不呼叫 GitHub / Gitea API因此 webhook、deploy key、branch protection 與 repository secret parity 仍需後續 redacted export 或 read-only API evidence。",
"任何含 raw secret/token/private key 的 payload 都必須拒收並進 quarantine。"
],
"forbidden_actions": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
}
Reference in New Issue View Git Blame Copy Permalink