Layer secret leak guardrails
This commit is contained in:
@@ -239,27 +239,36 @@ See:
|
||||
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
|
||||
- `home/doris-dashboard/docs/baselines/README.md`
|
||||
|
||||
### Pre-commit guardrail for infra artifacts
|
||||
### Git hook + CI guardrails for infra artifacts
|
||||
|
||||
The repo now includes a narrow pre-commit scanner aimed specifically at catching secret-bearing controller/export artifacts before push.
|
||||
The repo now includes layered guardrails aimed specifically at catching secret-bearing controller/export artifacts before they leave a workstation.
|
||||
|
||||
Files:
|
||||
- `scripts/scan-secret-bearing-artifacts.sh`
|
||||
- `.githooks/pre-commit`
|
||||
- `.githooks/pre-push`
|
||||
- `.github/workflows/secret-guardrails.yml`
|
||||
|
||||
Enable it once per clone:
|
||||
Enable the hooks once per clone:
|
||||
|
||||
```bash
|
||||
git config core.hooksPath .githooks
|
||||
chmod +x .githooks/pre-commit scripts/scan-secret-bearing-artifacts.sh
|
||||
chmod +x .githooks/pre-commit .githooks/pre-push scripts/scan-secret-bearing-artifacts.sh
|
||||
```
|
||||
|
||||
Run it manually on staged changes:
|
||||
Manual runs:
|
||||
|
||||
```bash
|
||||
scripts/scan-secret-bearing-artifacts.sh --staged
|
||||
scripts/scan-secret-bearing-artifacts.sh --tracked
|
||||
scripts/scan-secret-bearing-artifacts.sh --git-range origin/main..HEAD
|
||||
```
|
||||
|
||||
What each layer does:
|
||||
- `pre-commit`: scans staged files before a local commit is created
|
||||
- `pre-push`: scans the commits about to be pushed, including unpublished branch history
|
||||
- GitHub Actions: runs the narrow artifact scan across tracked files and also runs Gitleaks on pushes and pull requests
|
||||
|
||||
What it is for:
|
||||
- raw baselines
|
||||
- exports
|
||||
@@ -268,7 +277,9 @@ What it is for:
|
||||
- similar machine-generated infra artifacts
|
||||
|
||||
What it is not:
|
||||
- a full replacement for GitHub/GitGuardian or a generic secret scanner for every file type
|
||||
- a full replacement for operator judgment about what belongs in the repo
|
||||
- proof that a raw export is safe just because the scanner stayed quiet
|
||||
- a reason to skip rotating live secrets if one ever does leak
|
||||
|
||||
## Security Reminders
|
||||
|
||||
|
||||
Reference in New Issue
Block a user