Add infra artifact secret-scan guardrail
This commit is contained in:
@@ -239,6 +239,37 @@ See:
|
||||
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
|
||||
- `home/doris-dashboard/docs/baselines/README.md`
|
||||
|
||||
### Pre-commit guardrail for infra artifacts
|
||||
|
||||
The repo now includes a narrow pre-commit scanner aimed specifically at catching secret-bearing controller/export artifacts before push.
|
||||
|
||||
Files:
|
||||
- `scripts/scan-secret-bearing-artifacts.sh`
|
||||
- `.githooks/pre-commit`
|
||||
|
||||
Enable it once per clone:
|
||||
|
||||
```bash
|
||||
git config core.hooksPath .githooks
|
||||
chmod +x .githooks/pre-commit scripts/scan-secret-bearing-artifacts.sh
|
||||
```
|
||||
|
||||
Run it manually on staged changes:
|
||||
|
||||
```bash
|
||||
scripts/scan-secret-bearing-artifacts.sh --staged
|
||||
```
|
||||
|
||||
What it is for:
|
||||
- raw baselines
|
||||
- exports
|
||||
- snapshots
|
||||
- dumps
|
||||
- similar machine-generated infra artifacts
|
||||
|
||||
What it is not:
|
||||
- a full replacement for GitHub/GitGuardian or a generic secret scanner for every file type
|
||||
|
||||
## Security Reminders
|
||||
|
||||
- **Key backup**: `C:\Users\Fizzlepoof\Downloads\.git-crypt-secrets.key` — also store in password manager
|
||||
|
||||
Reference in New Issue
Block a user