feat(security): add security hardening guide and hooks v3.6.0

- Add guide/security-hardening.md (~10K) covering: - MCP vetting workflow with CVE-2025-53109/53110, 54135, 54136 - Prompt injection evasion techniques (Unicode, ANSI, null bytes) - Secret detection tool comparison (Gitleaks, TruffleHog, GitGuardian) - Incident response procedures - Add 3 new security hooks: - unicode-injection-scanner.sh: zero-width, RTL, ANSI escape detection - repo-integrity-scanner.sh: scan README/package.json for injection - mcp-config-integrity.sh: verify MCP config hash - Update existing hooks: - prompt-injection-detector.sh: +ANSI, +null bytes, +nested cmd - output-secrets-scanner.sh: +env leakage, +generic tokens - Update cross-references in ultimate-guide.md (§7.4, §8.6) - Move MCP Security Hardening to Done in IDEAS.md Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-15 07:39:53 +01:00 · 2026-01-15 07:39:53 +01:00 · 34b2ca7200
commit 34b2ca7200
parent 55a9fa34cf
12 changed files with 986 additions and 22 deletions
--- a/examples/hooks/bash/output-secrets-scanner.sh
+++ b/examples/hooks/bash/output-secrets-scanner.sh
@ -52,6 +52,8 @@ declare -A SECRET_PATTERNS=(
    ["Stripe Key"]="(sk|pk)_(live|test)_[0-9a-zA-Z]{24,}"
    ["Twilio Key"]="SK[a-f0-9]{32}"
    ["SendGrid Key"]="SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}"
+    ["Slack Token"]="xox[baprs]-[0-9a-zA-Z-]{10,}"
+    ["Discord Token"]="[MN][A-Za-z0-9]{23,}\.[A-Za-z0-9-_]{6}\.[A-Za-z0-9-_]{27}"

    # Tokens
    ["GitHub Token"]="(ghp|gho|ghu|ghs|ghr)_[a-zA-Z0-9]{36,}"
@ -59,6 +61,7 @@ declare -A SECRET_PATTERNS=(
    ["NPM Token"]="npm_[a-zA-Z0-9]{36}"
    ["PyPI Token"]="pypi-[a-zA-Z0-9_-]{50,}"
    ["JWT Token"]="eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*"
+    ["Heroku API Key"]="[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"

    # Private Keys
    ["Private Key"]="-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----"
@ -68,9 +71,15 @@ declare -A SECRET_PATTERNS=(
    ["Database URL with Password"]="(postgres|mysql|mongodb)://[^:]+:[^@]+@"
    ["Redis URL with Password"]="redis://:[^@]+@"

-    # Generic
+    # Generic (58% of leaked secrets are "generic" - GitGuardian 2025)
    ["Generic API Key"]="(api[_-]?key|apikey|api[_-]?secret)['\"]?\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{20,}"
    ["Generic Secret"]="(secret|password|passwd|pwd)['\"]?\s*[:=]\s*['\"]?[^\s'\"]{8,}"
+    ["Generic Token"]="(token|auth[_-]?token|access[_-]?token|bearer)['\"]?\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{20,}"
+    ["Private Key Inline"]="['\"]?-----BEGIN[^-]+PRIVATE KEY-----"
+
+    # Environment Variable Leakage
+    ["Env Dump Command"]="^(env|printenv|set)$"
+    ["Proc Environ Access"]="/proc/self/environ|/proc/[0-9]+/environ"
 )

 DETECTED_SECRETS=()