Updated test_security.sh

test_security.sh

@@ -20,13 +20,11 @@
 #   trivy-config    Trivy Dockerfile/IaC scan only
 #   pip-audit       Python dependency vulnerability audit
 #   npm-audit       Frontend dependency vulnerability audit
-#   gitleaks        Secrets scan across full git history (slow — only in --full or by name)
 #
 # Prerequisites:
 #   pip install bandit[sarif] pip-audit     # Python tools
 #   gh extension install github/gh-codeql   # CodeQL CLI
 #   curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh  # Trivy
-#   go install github.com/zricethezav/gitleaks/v8@latest  # gitleaks (ensure ~/go/bin on PATH)
 #
 
 set -uo pipefail
@@ -210,56 +208,6 @@ scan_npm_audit() {
     (cd frontend && npm audit --audit-level=high) 2>&1
 }
 
-scan_gitleaks() {
-    local bin
-    if check_command gitleaks; then
-        bin="gitleaks"
-    elif [ -x "$HOME/go/bin/gitleaks" ]; then
-        bin="$HOME/go/bin/gitleaks"
-    else
-        echo "SKIP: 'gitleaks' not found. Install: go install github.com/zricethezav/gitleaks/v8@latest"
-        return 2
-    fi
-
-    local report="$PROJECT_ROOT/gitleaks-report.json"
-
-    echo "Scanning full git history (can take several minutes on large repos)..."
-    "$bin" detect --source . --redact --no-banner \
-        --max-target-megabytes=5 \
-        --report-format=json --report-path="$report" 2>&1
-    local exit_code=$?
-
-    if [ -f "$report" ]; then
-        python3 - "$report" << 'PYEOF'
-import json, sys, collections
-from pathlib import Path
-
-path = Path(sys.argv[1])
-findings = json.loads(path.read_text() or "[]")
-if not findings:
-    print()
-    print("No findings.")
-    sys.exit(0)
-
-by_rule = collections.Counter(f.get("RuleID", "?") for f in findings)
-by_file = collections.Counter(f.get("File", "?") for f in findings)
-
-print()
-print(f"{len(findings)} findings  (full details: {path.name})")
-print()
-print("By rule:")
-for rule, n in by_rule.most_common():
-    print(f"  {n:6d}  {rule}")
-print()
-print("Top 10 files by hit count:")
-for fp, n in by_file.most_common(10):
-    print(f"  {n:6d}  {fp}")
-PYEOF
-    fi
-
-    return $exit_code
-}
-
 # ── Job launcher (streams output live with prefix, captures to log) ──────
 
 launch_scan() {
@@ -415,13 +363,13 @@ SCANS_TO_RUN=()
 if [ $# -eq 0 ]; then
     SCANS_TO_RUN=(bandit pip-audit npm-audit)
 elif [ "$1" = "--full" ]; then
-    SCANS_TO_RUN=(bandit pip-audit npm-audit codeql-actions codeql-python codeql-js trivy-image trivy-config gitleaks)
+    SCANS_TO_RUN=(bandit pip-audit npm-audit codeql-actions codeql-python codeql-js trivy-image trivy-config)
 else
     for scan in "$@"; do
         case "$scan" in
             codeql) SCANS_TO_RUN+=(codeql-actions codeql-python codeql-js) ;;
             trivy)  SCANS_TO_RUN+=(trivy-image trivy-config) ;;
-            bandit|codeql-actions|codeql-python|codeql-js|trivy-image|trivy-config|pip-audit|npm-audit|gitleaks)
+            bandit|codeql-actions|codeql-python|codeql-js|trivy-image|trivy-config|pip-audit|npm-audit)
                 SCANS_TO_RUN+=("$scan") ;;
             *)
                 echo -e "${RED}Unknown scan: $scan${NC}"
@@ -443,7 +391,6 @@ for scan in "${SCANS_TO_RUN[@]}"; do
         trivy-config)   launch_scan "trivy-config"   scan_trivy_config ;;
         pip-audit)      launch_scan "pip-audit"      scan_pip_audit ;;
         npm-audit)      launch_scan "npm-audit"      scan_npm_audit ;;
-        gitleaks)       launch_scan "gitleaks"       scan_gitleaks ;;
     esac
 done