The eea.coremetadata is a Plone add-on
Contents
1. Easy to install/uninstall via Site Setup > Add-ons 2. 3.
Add eea.coremetadata to your eggs section in your buildout and re-run buildout:
[buildout] eggs += eea.coremetadata
You can download a sample buildout from:
Or via docker:
$ docker run --rm -p 8080:8080 -e ADDONS="eea.coremetadata" plone
Install eea.coremetadata within Site Setup > Add-ons
It has been developed and tested for Plone 4 and 5. See buildouts section above.
See the contribution guidelines (CONTRIBUTING.md).
eea.coremetadata (the Original Code) is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
The Initial Owner of the Original Code is European Environment Agency (EEA). Portions created by Eau de Web are Copyright (C) 2009 by European Environment Agency. All Rights Reserved.
EEA - European Environment Agency (EU)
This repository uses the Betterleaks GitHub Action to scan the current
repository content on every push and pull request. The scan uses the rules in
.gitleaks.toml and uploads a betterleaks-report artifact when a finding
is detected.
If the optional SMTP secrets are configured, failed scans also send an email to the last commit committer. The workflow expects these repository or organization secrets:
SMTP_URLSMTP_PORT(optional, defaults to25)SMTP_EMAILSMTP_PASSWORD(optional if the SMTP server does not require authentication)
Port 465 is sent with direct TLS; other ports use the default SMTP
handshake. The email includes a short finding summary from the redacted
Betterleaks report, including the redacted matched line from each finding.
There are three common outcomes:
Everything is OK. The
Betterleaks / Scan for secretscheck is green and no action is needed. Regular references to runtime values are OK, for example:token_from_cookie = request.cookies.get("auth_token")A real secret was found. The check is red and the workflow log asks you to download the
betterleaks-reportartifact. Open the artifact from the GitHub Actions run and check the reported file, line and rule. Remove the committed value, move it to the proper secret store, and rotate it if it was exposed. A report entry looks like this:{ "RuleID": "secret-literal-assignment", "File": "src/config.py", "StartLine": 12, "Secret": "[REDACTED]" }The finding is a false positive. Keep the value only if it is clearly not sensitive, such as a test fixture, placeholder, or public example. Add
betterleaks:allowon the same line and include a short explanation in the pull request:test_password = "admin" #betterleaks:allow
Do not add betterleaks:allow to real credentials.