Skip to content

PII exposure scan report (2026-04-26)#8

Open
bupd wants to merge 4 commits intomainfrom
nightshift/pii-scanner
Open

PII exposure scan report (2026-04-26)#8
bupd wants to merge 4 commits intomainfrom
nightshift/pii-scanner

Conversation

@bupd
Copy link
Copy Markdown
Owner

@bupd bupd commented Apr 26, 2026
edited
Loading

Summary

  • Scanned 5 user-owned repos (dotfiles, code/ks, code/arch-bootc-hetzner, k8s-backups, night-family) and home-directory configs for PII and secret exposure
  • 21 findings: 4 critical, 8 high, 5 medium, 4 low
  • Categories: env-secret (6), hardcoded-pii (6), gitignore-gap (4), unencrypted-storage (3), pii-in-logs (2)
  • All credential values redacted in the report — no real tokens, passwords, or secrets are reproduced

Critical findings

  • Cloudflare API token tracked in git despite .gitignore (F-01, F-12)
  • Keycloak .env with plaintext passwords tracked despite .gitignore (F-03, F-13)

Priority actions

  1. Immediate: Rotate Cloudflare API token and Keycloak/Postgres passwords
  2. Urgent: git rm --cached tracked-but-gitignored files, scrub git history
  3. Soon: Remove Prometheus credential files (F-18), add missing .gitignore patterns, redact session reports, move Helm secrets to sealed secrets

Test plan

  • Report contains no real credential values (all redacted)
  • Finding counts in summary match individual findings
  • All 5 required categories covered

🤖 Generated with Claude Code

Automated by nightshift

bupd and others added 2 commits March 10, 2026 23:03
@bupd @claude
fix: bind sessionizer to prefix+k (ctrl+j, k) and update lazy-lock
7ac0b23 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bupd @claude
Add PII exposure scan report (2026-04-26)
b20f0b8 
Scan 5 user-owned repos and home-directory configs for PII and
secret exposure across 5 categories: hardcoded-pii, env-secret,
pii-in-logs, unencrypted-storage, and gitignore-gap.

19 findings: 4 critical, 7 high, 4 medium, 4 low.
All credential values are redacted in the report.

Nightshift-Task: pii-scanner
Nightshift-Ref: https://github.com/marcus/nightshift
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bupd bupd force-pushed the nightshift/pii-scanner branch from 1a2d77e to b20f0b8 Compare April 26, 2026 00:23
bupd and others added 2 commits April 26, 2026 00:25
@bupd @claude
Add F-19: harbor-init.sh logs default password, update F-17 file list
040f842 
Adds finding for pii-in-logs in arch-bootc-hetzner harbor-init.sh
and includes Containerfile.harbor in the default password pattern.
Total findings: 20 (4 critical, 7 high, 5 medium, 4 low).

Nightshift-Task: pii-scanner
Nightshift-Ref: https://github.com/marcus/nightshift
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bupd @claude
Add F-18: Prometheus admin credentials tracked in plaintext
cb74d28 
prom-stack/admin-user and admin-password are tracked with no
.gitignore coverage. Renumber F-19-F-21. Total: 21 findings
(4 critical, 8 high, 5 medium, 4 low).

Nightshift-Task: pii-scanner
Nightshift-Ref: https://github.com/marcus/nightshift
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bupd