#!/bin/bash # Verify .gitignore coverage for all .env files and secrets # Identifies .env files that may not be properly ignored set -euo pipefail # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; } log_error() { echo -e "${RED}[✗]${NC} $1"; } PROJECT_ROOT="${PROJECT_ROOT:-/home/intlc/projects}" FIX_MODE="${FIX_MODE:-false}" echo "═══════════════════════════════════════════════════════════" echo " .gitignore Coverage Verification" echo "═══════════════════════════════════════════════════════════" echo "" # Find all .env files log_info "Scanning for .env files..." ENV_FILES=$(find "$PROJECT_ROOT" -type f -name ".env" ! -name "*.example" ! -path "*/node_modules/*" ! -path "*/.git/*" 2>/dev/null) ISSUES=0 FIXED=0 while IFS= read -r env_file; do if [ -z "$env_file" ]; then continue fi dir=$(dirname "$env_file") gitignore="$dir/.gitignore" root_gitignore="$PROJECT_ROOT/.gitignore" # Check if .env is ignored ignored=false # Check local .gitignore if [ -f "$gitignore" ]; then if grep -qE "^\.env$|^\.env\.|^\*\.env" "$gitignore" 2>/dev/null; then ignored=true fi fi # Check root .gitignore if [ "$ignored" = false ] && [ -f "$root_gitignore" ]; then if grep -qE "^\.env$|^\.env\.|^\*\.env" "$root_gitignore" 2>/dev/null; then ignored=true fi fi # Check if file is in a git repo git_repo=false if git -C "$dir" rev-parse --git-dir &>/dev/null 2>&1; then git_repo=true fi if [ "$ignored" = false ]; then ISSUES=$((ISSUES + 1)) log_warn "⚠️ $env_file" log_warn " Not properly ignored in .gitignore" if [ "$FIX_MODE" = "true" ]; then # Create or update .gitignore if [ ! -f "$gitignore" ]; then echo "# Environment files" >> "$gitignore" echo ".env" >> "$gitignore" echo ".env.local" >> "$gitignore" echo ".env.*.local" >> "$gitignore" echo "*.env.backup" >> "$gitignore" echo ".env.backup.*" >> "$gitignore" log_success " Created $gitignore" FIXED=$((FIXED + 1)) elif ! grep -qE "^\.env$|^\.env\.|^\*\.env" "$gitignore" 2>/dev/null; then echo "" >> "$gitignore" echo "# Environment files" >> "$gitignore" echo ".env" >> "$gitignore" echo ".env.local" >> "$gitignore" echo ".env.*.local" >> "$gitignore" echo "*.env.backup" >> "$gitignore" echo ".env.backup.*" >> "$gitignore" log_success " Updated $gitignore" FIXED=$((FIXED + 1)) fi fi else if [ "$git_repo" = true ]; then log_success "✓ $env_file (properly ignored)" fi fi done <<< "$ENV_FILES" echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo " Backup Files Check" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" # Check for backup files BACKUP_FILES=$(find "$PROJECT_ROOT" -type f \( -name "*.env.backup*" -o -name ".env.backup*" \) ! -path "*/node_modules/*" ! -path "*/.git/*" 2>/dev/null) BACKUP_ISSUES=0 while IFS= read -r backup_file; do if [ -z "$backup_file" ]; then continue fi dir=$(dirname "$backup_file") gitignore="$dir/.gitignore" root_gitignore="$PROJECT_ROOT/.gitignore" ignored=false if [ -f "$gitignore" ]; then if grep -qE "\.env\.backup|env\.backup" "$gitignore" 2>/dev/null; then ignored=true fi fi if [ "$ignored" = false ] && [ -f "$root_gitignore" ]; then if grep -qE "\.env\.backup|env\.backup" "$root_gitignore" 2>/dev/null; then ignored=true fi fi # Check if file contains secrets has_secrets=false if grep -qE "^(PRIVATE_KEY|API_KEY|SECRET|PASSWORD|TOKEN|CLOUDFLARE)" "$backup_file" 2>/dev/null; then has_secrets=true fi if [ "$has_secrets" = true ]; then BACKUP_ISSUES=$((BACKUP_ISSUES + 1)) if [ "$ignored" = false ]; then log_error "🔴 $backup_file" log_error " Contains secrets and is NOT ignored!" else log_warn "⚠️ $backup_file" log_warn " Contains secrets (properly ignored, but should be removed)" fi fi done <<< "$BACKUP_FILES" echo "" echo "═══════════════════════════════════════════════════════════" echo " Summary" echo "═══════════════════════════════════════════════════════════" echo "" if [ "$ISSUES" -eq 0 ] && [ "$BACKUP_ISSUES" -eq 0 ]; then log_success "✅ All .env files are properly ignored!" else log_warn "Found $ISSUES .env file(s) not properly ignored" log_warn "Found $BACKUP_ISSUES backup file(s) with secrets" if [ "$FIX_MODE" = "true" ]; then log_info "Fixed $FIXED .gitignore file(s)" echo "" log_info "Next steps:" log_info " 1. Review the changes" log_info " 2. Commit .gitignore updates" log_info " 3. Handle backup files with secrets" else echo "" log_info "To automatically fix .gitignore files, run:" log_info " FIX_MODE=true $0" fi fi echo ""