Levandor

Handover prep and committed-credentials finding

2 min read

Session preparing the GSR Transformer (bankofus) repo for handover to a new dev team. Two notable outcomes: a committed-credentials security finding, and a docs/repo cleanup pass.

1. Security Finding — .env.production committed with live SFTP credentials

.env.production was tracked in git (present in 3 commits). Its FTP_URL held live US Bank SFTP credentials in URL form:

FTP_URL=sftp://user:password@host

The embedded user:password are real production credentials — a leak as long as they live in repo history.

Credentials still exposed in git history

Untracking + .gitignore stops new leaks but does NOT remove the credentials from past commits. Anyone with repo access (or a clone) can still recover them. History scrub + password rotation are required to fully close this.

Resolution this session

  • git rm --cached .env.production — untracked the file (working copy kept).
  • Added .env.production to .gitignore.

Still pending — user’s action

  1. Scrub the file from all history: 
    git filter-repo --invert-paths --path .env.production
  2. Force-push the rewritten history.
  3. Rotate the SFTP password with US Bank — the old one must be treated as compromised regardless of the scrub.

Pre-handover checklist — catch tracked env files

Before handing over any repo, run:

git ls-files | grep -i env

This surfaces tracked .env* files before they reach a new team. Production env files with embedded credentials get committed easily — .gitignore alone does not protect a file that is already tracked.

2. Handover Prep — docs and repo cleanup

Reworked the repo into a state a new team can pick up cold.

Docs

  • README.md — rewritten into a real front door (what the service is, how to run it, where to look next).
  • docs/HANDOVER.md — new, concise: where it runs, known issues, gotchas.
  • Stale-doc fixes — v1.2.0 removed the in-process node-cron scheduler and the /sync endpoints (commits 8e8c2f0, 13dc372), but several docs still described them:
    • docs/pentest-service-description.md
    • .env.example
    • Helm docs
    • All corrected to reflect CronJob-only ingest (no scheduler, no /sync).
  • Swagger path — corrected from /documentation to /docs.
  • Deleted stale summary files.

Repo cleanup

  • Tidied .gitignore.
  • Removed a stale Helm package artifact.
  • Deleted the stale local develop branch.

For Agents

Current ingest model is CronJob-only — there is no in-process scheduler and no /sync endpoint (removed in v1.2.0). The live Swagger UI is at /docs, not /documentation. If older docs/notes contradict this, the v1.2.0 state above is authoritative. See Agent Context (GSR Transformer).

Graph View

Backlinks