Secrets manager app

.gitignore

@@ -18,7 +18,7 @@
 /build
 /dist
 /env
-*local.env
+surface/local.env
 *.retry
 *.sqlite3-journal
 *.swp

dev/scripts/create-mysql-container.sh

@@ -9,4 +9,12 @@ docker run -d --name dev-surface-mysql \
               -e MYSQL_ALLOW_EMPTY_PASSWORD=yes \
               mysql:8.0.30
 
+echo "Waiting for MySQL to be ready..."
+while ! docker exec dev-surface-mysql mysqladmin ping -h localhost --silent; do
+    sleep 1
+done
+
+echo "Loading timezone info..."
 docker exec dev-surface-mysql bash -c 'mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql'
+
+echo "MySQL container is ready!"

dev/scripts/create-super-user.sh

@@ -2,7 +2,8 @@
 
 set -e
 
-cd $(dirname $0)
+PROJECT_ROOT=$(dirname $(dirname $(dirname $0)))
 
-surface/manage.py createsuperuser --noinput --username admin --email admin@localhost && surface/manage.py changepassword admin
-
+cd "${PROJECT_ROOT}"
+python surface/manage.py createsuperuser --noinput --username admin --email admin@localhost && \
+python surface/manage.py changepassword admin

surface/secretsmanager/README.md

@@ -0,0 +1,102 @@
+# Secrets Manager
+
+A Django app for managing and tracking secrets discovered in source code and git repositories.
+
+## Models
+
+### Secret
+Stores information about discovered secrets:
+- Secret value and hash
+- Source and type of secret
+- Status (new/triaged/false_positive)
+- Criticality level
+- Team ownership
+- Verification status
+- Git source reference
+
+### SecretLocation
+Tracks where secrets were found:
+- File path
+- Git commit
+- Repository URL
+- Timestamp
+- Author
+- Line number
+
+### SecretHistory
+Maintains audit trail of changes to secrets:
+- Changed fields
+- User who made changes
+- Timestamp
+- Version number
+
+## Management Commands
+
+### import_secrets.py
+Imports secrets from TruffleHog JSON output:
+
+```python manage.py import_secrets path/to/secrets.json```
+
+### import_git_secrets.py
+Scans git repositories for sensitive files (certificates, keystores, etc.):
+
+```python manage.py import_git_secrets path/to/git/repo --org your-org```
+
+Supported sensitive file extensions:
+
+### Cryptographic & Certificate Files
+- .jks (Java KeyStore)
+- .p12, .pfx (PKCS#12/Personal Exchange Format)
+- .pem (Privacy Enhanced Mail certificate)
+- .crt, .cer (Certificate files)
+- .key, .keystore (Private Keys)
+- .csr (Certificate Signing Request)
+- .der (Distinguished Encoding Rules certificate)
+- .spc (Software Publisher Certificate)
+
+### Mobile & App Signing
+- .mobileprovision (iOS Provisioning Profile)
+- .keychain (macOS Keychain)
+- .provisionprofile (iOS/macOS Provisioning Profile)
+- .apk.sign (Android App Signing)
+- .aab.sign (Android App Bundle Signing)
+
+### Configuration & Credentials
+- .env, .env.* (Environment files)
+- .conf, .config (Configuration files)
+- .ini (Configuration files)
+- .properties (Java Properties)
+- .secret, .secrets (Generic Secrets)
+- .credentials, .creds (Credential files)
+- .htpasswd (Apache Password files)
+- .netrc (Network credentials)
+
+### Cloud & Infrastructure
+- .aws (AWS credentials)
+- .kube/config (Kubernetes config)
+- .npmrc (NPM registry auth)
+- terraform.tfstate (Terraform state)
+- .terraform.tfvars (Terraform variables)
+
+## Admin Interface
+
+The app provides a Django admin interface with:
+- List and detail views for secrets
+- Filtering by status, criticality, team
+- Direct links to secret locations in GitHub
+- Audit history tracking
+- Bulk update capabilities
+
+## Usage
+
+1. Run migrations:
+
+2. Import secrets using either:
+   - TruffleHog JSON output via `import_secrets`
+   - Direct git scanning via `import_git_secrets`
+
+3. Access the admin interface to:
+   - Triage discovered secrets
+   - Set criticality levels
+   - Assign team ownership
+   - Track remediation status

surface/secretsmanager/admin.py

@@ -0,0 +1,120 @@
+from django.contrib import admin
+from django.utils.html import format_html
+from django.urls import reverse
+from .models import Secret, SecretHistory, SecretLocation
+
+@admin.register(Secret)
+class SecretAdmin(admin.ModelAdmin):
+    list_display = (
+        'secret_preview',
+        'kind',
+        'source',
+        'git_source_link',
+        'location_links',
+        'status',
+        'criticality',
+        'locations_detail',
+        'verified',
+        'updated_at'
+    )
+    list_editable = ('status', 'criticality')
+    list_filter = ('source', 'status', 'criticality', 'verified', 'team', 'git_source', 'secret_hash')
+    search_fields = ('secret', 'source', 'kind', 'team', 'git_source__repo_url', 'secret_hash')
+    readonly_fields = ('created_at', 'updated_at', 'updated_by', 'version', 'secret_hash')
+
+    def secret_preview(self, obj):
+        return obj.secret[:30] + '...' if len(obj.secret) > 30 else obj.secret
+    secret_preview.short_description = 'Secret'
+
+    def git_source_link(self, obj):
+        if obj.git_source:
+            return format_html('<a href="{}" target="_blank">{}</a>', 
+                obj.git_source.repo_url, 
+                obj.git_source.repo_url)
+        return ''
+    git_source_link.short_description = 'Repository'
+
+    def location_links(self, obj):
+        """Numbered links to specific files in repository"""
+        locations = obj.locations.all()
+        if locations:
+            links = []
+            max_links = 10
+            total_links = locations.count()
+
+            for idx, loc in enumerate(locations[:max_links], 1):
+                # Clean up repository URL
+                repo = loc.repository.replace('.git', '')
+                if 'truffleho/' in repo:
+                    repo = repo.replace('truffleho/', 'trufflehog/')
+
+                url = f"{repo}/blob/{loc.commit}/{loc.file_path}#L{loc.line}"
+                links.append(
+                    format_html(
+                        '<a href="{}" target="_blank" title="Line {}">{}</a>',
+                        url,
+                        loc.line,
+                        str(idx)
+                    )
+                )
+
+            if total_links > max_links:
+                links.append(
+                    format_html(
+                        '<span title="{} more locations">...</span>',
+                        total_links - max_links
+                    )
+                )
+
+            return format_html(', '.join(links))
+        return ''
+    location_links.short_description = 'Sources'
+
+    def locations_detail(self, obj):
+        """Magnifying glass icon for detailed locations view"""
+        locations_count = obj.locations.count()
+        if locations_count > 0:
+            url = reverse('admin:secretsmanager_secretlocation_changelist') + f'?secret__id={obj.id}'
+            return format_html(
+                '<a href="{}" title="{} locations" style="text-decoration:none;">🔍 {}</a>',
+                url,
+                locations_count,
+                locations_count
+            )
+        return ''
+    locations_detail.short_description = 'Locations'
+
+    def save_model(self, request, obj, form, change):
+        if change:
+            obj.version += 1
+            SecretHistory.objects.create(
+                secret=obj,
+                changed_fields=form.changed_data,
+                changed_by=request.user,
+                version=obj.version
+            )
+        obj.updated_by = request.user
+        super().save_model(request, obj, form, change)
+
+@admin.register(SecretHistory)
+class SecretHistoryAdmin(admin.ModelAdmin):
+    list_display = ('secret', 'version', 'changed_by', 'changed_at')
+    list_filter = ('secret', 'changed_by')
+    readonly_fields = ('secret', 'changed_fields', 'changed_by', 'changed_at', 'version')
+
+@admin.register(SecretLocation)
+class SecretLocationAdmin(admin.ModelAdmin):
+    list_display = ('secret_preview', 'file_path', 'commit_link', 'timestamp', 'author')
+    list_filter = ('secret', 'repository', 'author')
+    search_fields = ('file_path', 'commit', 'author', 'secret__secret')
+
+    def secret_preview(self, obj):
+        """Show the actual secret value instead of the model string representation"""
+        secret_value = obj.secret.secret
+        return secret_value[:30] + '...' if len(secret_value) > 30 else secret_value
+    secret_preview.short_description = 'Secret'
+
+    def commit_link(self, obj):
+        url = f"{obj.repository}/commit/{obj.commit}"
+        return format_html('<a href="{}" target="_blank">{}</a>', url, obj.commit[:8])
+    commit_link.short_description = 'Commit'

surface/secretsmanager/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class SecretsmanagerConfig(AppConfig):
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'secretsmanager'