bf9395e022
CI / results (push) Blocked by required conditions
CI / license-header (push) Has been skipped
CI / e2e-dry-run (push) Has been skipped
CI / e2e-live (push) Waiting to run
CI / fast-gate (push) Failing after 0s
Test PR Label Logic / test-pr-labels (push) Failing after 1s
Skill Format Check / check-format (push) Failing after 2s
CI / security (push) Failing after 5s
CI / unit-test (push) Has been skipped
CI / lint (push) Has been skipped
CI / script-test (push) Has been skipped
CI / deterministic-gate (push) Has been skipped
CI / coverage (push) Has been skipped
CI / deadcode (push) Waiting to run
67 lines
2.8 KiB
Bash
Executable File
67 lines
2.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
# SPDX-License-Identifier: MIT
|
|
#
|
|
# check-doc-tokens.sh
|
|
#
|
|
# Scans skill reference docs for token-like values that look realistic but
|
|
# are not using the required placeholder format (*_EXAMPLE_TOKEN or similar).
|
|
#
|
|
# Real token patterns (Lark API) often look like:
|
|
# wikcnXXXXXXXXX doccnXXXXXXX shtcnXXX fldcnXXX ou_XXXX cli_XXXX
|
|
#
|
|
# Docs MUST use clearly fake placeholders, e.g.:
|
|
# wikcn_EXAMPLE_TOKEN doccn_EXAMPLE_TOKEN <space_id> your_token_here
|
|
#
|
|
# If this check fails, replace the realistic-looking value with a placeholder
|
|
# like `wikcn_EXAMPLE_TOKEN` so gitleaks CI won't flag it as a real secret.
|
|
|
|
set -euo pipefail
|
|
|
|
SKILLS_DIR="${1:-skills}"
|
|
ERRORS=0
|
|
|
|
# Patterns that indicate a realistic-looking Lark token value.
|
|
# Three forms are detected:
|
|
# 1. JSON-style quoted strings: "field": "token_value"
|
|
# 2. Markdown backtick spans: `token_value`
|
|
# 3. Bare tokens: --flag wikcnABC123 (e.g. inside fenced code blocks)
|
|
#
|
|
# Token prefixes used by Lark Open Platform:
|
|
# wikcn doccn docx shtcn bascn fldcn vewcn tbln ou_ cli_ obcn flec
|
|
#
|
|
# Excluded (clearly fake, matched by PLACEHOLDER_RE below):
|
|
# - Values containing EXAMPLE / _TOKEN / XXXX / your_ / _here
|
|
# - Angle-bracket placeholders <your_token>
|
|
# Require at least one digit in the suffix — real API tokens are always alphanumeric
|
|
# with digits. Pure-letter suffixes (e.g. ou_manager, ou_director) are clearly fake names.
|
|
PREFIXES='(wikcn|doccn|docx[a-z]|shtcn|bascn|fldcn|vewcn|tbln|obcn|flec|ou_|cli_)'
|
|
TOKEN_BODY="${PREFIXES}"'[A-Za-z0-9]*[0-9][A-Za-z0-9]{3,}'
|
|
REALISTIC_TOKEN_RE="\"${TOKEN_BODY}\"|\`${TOKEN_BODY}\`|\\b${TOKEN_BODY}\\b"
|
|
PLACEHOLDER_RE='(EXAMPLE|_TOKEN|XXXX|xxxx|<|>|your_|_here)'
|
|
|
|
while IFS= read -r -d '' file; do
|
|
# grep returns exit 1 when no match — use || true to avoid set -e killing us
|
|
# Then filter out values that are clearly placeholders (EXAMPLE, XXXX, etc.)
|
|
matches=$(grep -nEo "$REALISTIC_TOKEN_RE" "$file" 2>/dev/null | grep -vE "$PLACEHOLDER_RE" || true)
|
|
if [[ -n "$matches" ]]; then
|
|
echo ""
|
|
echo "❌ $file"
|
|
echo " Contains realistic-looking token values that may trigger gitleaks:"
|
|
while IFS= read -r line; do
|
|
echo " $line"
|
|
done <<< "$matches"
|
|
echo " → Replace with a placeholder, e.g.: wikcn_EXAMPLE_TOKEN, doccn_EXAMPLE_TOKEN"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
done < <(find "$SKILLS_DIR" -path "*/references/*.md" -print0)
|
|
|
|
if [[ $ERRORS -gt 0 ]]; then
|
|
echo ""
|
|
echo "❌ check-doc-tokens: $ERRORS file(s) contain realistic token values in reference docs."
|
|
echo " Use _EXAMPLE_TOKEN placeholders to avoid false positives in gitleaks CI."
|
|
exit 1
|
|
else
|
|
echo "✅ check-doc-tokens: all reference docs use safe placeholder tokens."
|
|
fi
|