Merge branch 'worktree-agent-ad901ba0'
This commit is contained in:
salvacybersec
@@ -0,0 +1,123 @@
|
||||
---
|
||||
phase: 14-osint_ci_cd_logs_web_archives_frontend_leaks
|
||||
plan: 01
|
||||
subsystem: recon
|
||||
tags: [ci-cd, github-actions, travis-ci, circleci, jenkins, gitlab-ci, osint]
|
||||
|
||||
requires:
|
||||
- phase: 10-osint-code-hosting
|
||||
provides: ReconSource interface, shared Client, BuildQueries, LimiterRegistry
|
||||
- phase: 13-osint_package_registries_container_iac
|
||||
provides: RegisterAll with 40 sources baseline
|
||||
|
||||
provides:
|
||||
- GitHubActionsSource for GitHub Actions workflow log scanning
|
||||
- TravisCISource for Travis CI public build log scanning
|
||||
- CircleCISource for CircleCI pipeline log scanning
|
||||
- JenkinsSource for open Jenkins console output scanning
|
||||
- GitLabCISource for GitLab CI pipeline log scanning
|
||||
- RegisterAll extended to 45 sources
|
||||
|
||||
affects: [14-02, 14-03, 14-04, 14-05, recon-engine]
|
||||
|
||||
tech-stack:
|
||||
added: []
|
||||
patterns: [credential-gated CI/CD sources, credentialless scraping sources]
|
||||
|
||||
key-files:
|
||||
created:
|
||||
- pkg/recon/sources/githubactions.go
|
||||
- pkg/recon/sources/githubactions_test.go
|
||||
- pkg/recon/sources/travisci.go
|
||||
- pkg/recon/sources/travisci_test.go
|
||||
- pkg/recon/sources/circleci.go
|
||||
- pkg/recon/sources/circleci_test.go
|
||||
- pkg/recon/sources/jenkins.go
|
||||
- pkg/recon/sources/jenkins_test.go
|
||||
- pkg/recon/sources/gitlabci.go
|
||||
- pkg/recon/sources/gitlabci_test.go
|
||||
modified:
|
||||
- pkg/recon/sources/register.go
|
||||
- pkg/recon/sources/register_test.go
|
||||
- pkg/recon/sources/integration_test.go
|
||||
- cmd/recon.go
|
||||
|
||||
key-decisions:
|
||||
- "GitHubActions and GitLabCI reuse existing GitHub/GitLab tokens from SourcesConfig; CircleCI gets its own CIRCLECI_TOKEN"
|
||||
- "TravisCI and Jenkins are credentialless (public API access); GitHubActions, CircleCI, GitLabCI are credential-gated"
|
||||
- "RegisterAll extended to 45 sources (40 Phase 10-13 + 5 Phase 14 CI/CD)"
|
||||
|
||||
patterns-established:
|
||||
- "CI/CD sources follow same ReconSource pattern as all prior sources"
|
||||
|
||||
requirements-completed: []
|
||||
|
||||
duration: 4min
|
||||
completed: 2026-04-06
|
||||
---
|
||||
|
||||
# Phase 14 Plan 01: CI/CD Log Sources Summary
|
||||
|
||||
**Five CI/CD build log sources (GitHubActions, TravisCI, CircleCI, Jenkins, GitLabCI) for detecting API keys leaked in CI/CD pipeline outputs**
|
||||
|
||||
## Performance
|
||||
|
||||
- **Duration:** 4 min 32s
|
||||
- **Started:** 2026-04-06T10:13:06Z
|
||||
- **Completed:** 2026-04-06T10:17:38Z
|
||||
- **Tasks:** 1
|
||||
- **Files modified:** 14
|
||||
|
||||
## Accomplishments
|
||||
- Implemented 5 CI/CD log scanning sources following established ReconSource pattern
|
||||
- GitHubActions searches GitHub code search for workflow YAML files referencing provider keywords
|
||||
- TravisCI queries Travis CI v3 API for public build logs
|
||||
- CircleCI queries CircleCI v2 pipeline API for build pipelines
|
||||
- JenkinsSource queries open Jenkins /api/json for job build consoles
|
||||
- GitLabCISource queries GitLab projects API filtered for CI-enabled projects
|
||||
- All 5 sources integrated into RegisterAll (45 total), with full integration test coverage
|
||||
|
||||
## Task Commits
|
||||
|
||||
Each task was committed atomically:
|
||||
|
||||
1. **Task 1: Implement 5 CI/CD sources + tests + wiring** - `e0f267f` (feat)
|
||||
|
||||
## Files Created/Modified
|
||||
- `pkg/recon/sources/githubactions.go` - GitHub Actions workflow log source (token-gated)
|
||||
- `pkg/recon/sources/githubactions_test.go` - Unit tests with httptest fixture
|
||||
- `pkg/recon/sources/travisci.go` - Travis CI public build log source (credentialless)
|
||||
- `pkg/recon/sources/travisci_test.go` - Unit tests with httptest fixture
|
||||
- `pkg/recon/sources/circleci.go` - CircleCI pipeline source (token-gated)
|
||||
- `pkg/recon/sources/circleci_test.go` - Unit tests with httptest fixture
|
||||
- `pkg/recon/sources/jenkins.go` - Jenkins console output source (credentialless)
|
||||
- `pkg/recon/sources/jenkins_test.go` - Unit tests with httptest fixture
|
||||
- `pkg/recon/sources/gitlabci.go` - GitLab CI pipeline source (token-gated)
|
||||
- `pkg/recon/sources/gitlabci_test.go` - Unit tests with httptest fixture
|
||||
- `pkg/recon/sources/register.go` - Extended RegisterAll to 45 sources, added CircleCIToken to SourcesConfig
|
||||
- `pkg/recon/sources/register_test.go` - Updated expected source count and name list to 45
|
||||
- `pkg/recon/sources/integration_test.go` - Added fixtures and source registrations for all 5 new sources
|
||||
- `cmd/recon.go` - Wired CIRCLECI_TOKEN env var into SourcesConfig
|
||||
|
||||
## Decisions Made
|
||||
- GitHubActions and GitLabCI reuse existing GitHub/GitLab tokens; CircleCI gets dedicated CIRCLECI_TOKEN
|
||||
- TravisCI and Jenkins are credentialless (target public/open instances); other 3 are credential-gated
|
||||
- RegisterAll extended to 45 sources total
|
||||
|
||||
## Deviations from Plan
|
||||
|
||||
None - plan executed exactly as written.
|
||||
|
||||
## Issues Encountered
|
||||
None
|
||||
|
||||
## User Setup Required
|
||||
None - no external service configuration required.
|
||||
|
||||
## Next Phase Readiness
|
||||
- 5 CI/CD sources ready for production use
|
||||
- RegisterAll wires all 45 sources; future Phase 14 plans (web archives, frontend leaks) will extend to 50+
|
||||
|
||||
---
|
||||
*Phase: 14-osint_ci_cd_logs_web_archives_frontend_leaks*
|
||||
*Completed: 2026-04-06*
|
||||
Reference in New Issue
Block a user