Add infra artifact secret-scan guardrail

This commit is contained in:
Doris
2026-05-22 21:13:16 +00:00
parent c2c71cfe57
commit 0b528cbb5f
4 changed files with 134 additions and 0 deletions

View File

@@ -239,6 +239,37 @@ See:
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
- `home/doris-dashboard/docs/baselines/README.md`
### Pre-commit guardrail for infra artifacts
The repo now includes a narrow pre-commit scanner aimed specifically at catching secret-bearing controller/export artifacts before push.
Files:
- `scripts/scan-secret-bearing-artifacts.sh`
- `.githooks/pre-commit`
Enable it once per clone:
```bash
git config core.hooksPath .githooks
chmod +x .githooks/pre-commit scripts/scan-secret-bearing-artifacts.sh
```
Run it manually on staged changes:
```bash
scripts/scan-secret-bearing-artifacts.sh --staged
```
What it is for:
- raw baselines
- exports
- snapshots
- dumps
- similar machine-generated infra artifacts
What it is not:
- a full replacement for GitHub/GitGuardian or a generic secret scanner for every file type
## Security Reminders
- **Key backup**: `C:\Users\Fizzlepoof\Downloads\.git-crypt-secrets.key` — also store in password manager