fix: security hardening

[Danite]

No description provided.

[greptile-apps]

Greptile Summary

This PR hardens the project across three layers: (1) src/output/html.rs now escapes </ as <\/ before embedding JSON in the report's script tag, preventing XSS if dep names contained a </script> sequence; (2) the doctor command masks env-var values whose names match secret-keyword patterns (SECRET, KEY, TOKEN, etc.), preventing accidental credential exposure in terminal output; (3) GitHub Actions steps are pinned to immutable commit SHAs and a deny.toml enforces license and advisory checks in CI.

Key changes:

• src/output/html.rs: XSS mitigation via </ → <\/ escaping in script-embedded JSON
• src/doctor.rs: Secret-aware env-var masking added to check_env_var using is_secret_name
• src/generate/compose.rs: is_sensitive_key helper annotates generated compose env vars with # CHANGE ME
• .github/workflows/ci.yml / release.yml: All third-party actions pinned to commit SHAs (except dtolnay/rust-toolchain)
• deny.toml: New cargo-deny config enforcing license and advisory checks in CI

Confidence Score: 4/5

Safe to merge with two non-blocking P2 style fixes remaining

The core security improvements (HTML XSS escaping, secret masking, SHA-pinned CI actions, cargo-deny) are all correct and well-implemented. The only gaps are the unpinned dtolnay/rust-toolchain action in both workflow files and the minio:latest image tag in the compose generator — both are P2 style issues that do not block merge.

.github/workflows/ci.yml and .github/workflows/release.yml (unpinned dtolnay/rust-toolchain action); src/generate/compose.rs (minio:latest tag)

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Pins checkout and cargo-deny-action to commit SHAs; dtolnay/rust-toolchain@stable remains unpinned
.github/workflows/release.yml	Pins checkout and rust-cache to commit SHAs; dtolnay/rust-toolchain@stable remains unpinned
src/output/html.rs	Adds </ → </ escaping when embedding JSON in script tag — correct XSS mitigation
src/doctor.rs	Adds secret-keyword detection to mask sensitive env var values in terminal output
src/generate/compose.rs	Adds is_sensitive_key helper and # CHANGE ME annotations; minio/minio:latest inconsistently unpinned
src/infra/compose.rs	Port-mapping parser handles 2-part and 3-part formats correctly
src/detectors/ports.rs	Adds regex-based connection-string parsing with known-protocol port table
Cargo.toml	No significant security-relevant dependency changes
deny.toml	New cargo-deny config enforcing license and advisory checks in CI
Cargo.lock	Lock file updated to reflect dependency changes

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[run_doctor] --> B{dep.category}
    B -->|EnvVar| C[check_env_var]
    C --> D{is_secret_name?}
    D -->|yes| E[display: 'set *****']
    D -->|no, len > 30| F[display: truncated...]
    D -->|no, short val| G[display: 'set val']
    B -->|Binary| H[check_binary via which]
    B -->|Port| I[check_port]
    I --> J{direction}
    J -->|listen| K[TcpListener::bind 127.0.0.1:port]
    J -->|connect| L[TcpStream::connect_timeout 127.0.0.1:port]
    B -->|Network| M[check_network DNS + TCP]
    B -->|Filesystem| N[Path::exists]

Loading

Comments Outside Diff (1)

1. src/generate/compose.rs, line 72-75 (link)

   minio/minio:latest should use a pinned version tag

   Every other entry in PROTOCOL_TO_SERVICE uses a specific major-version tag (redis:7, postgres:16, mongo:7, mysql:8, rabbitmq:3-management, nats:2, memcached:1, elasticsearch:8), but MinIO uses :latest. Generated compose files will silently upgrade to a potentially breaking MinIO release on the next docker pull. Pin to a concrete release tag for consistency:

_{Reviews (1): Last reviewed commit: "fix unmaintaned dep" | Re-trigger Greptile}