Layer secret leak guardrails
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Hermes Agent
2026-05-22 21:23:15 +00:00
parent 0b528cbb5f
commit d62a391cbf
5 changed files with 195 additions and 47 deletions

View File

@@ -239,27 +239,36 @@ See:
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
- `home/doris-dashboard/docs/baselines/README.md`
### Pre-commit guardrail for infra artifacts
### Git hook + CI guardrails for infra artifacts
The repo now includes a narrow pre-commit scanner aimed specifically at catching secret-bearing controller/export artifacts before push.
The repo now includes layered guardrails aimed specifically at catching secret-bearing controller/export artifacts before they leave a workstation.
Files:
- `scripts/scan-secret-bearing-artifacts.sh`
- `.githooks/pre-commit`
- `.githooks/pre-push`
- `.github/workflows/secret-guardrails.yml`
Enable it once per clone:
Enable the hooks once per clone:
```bash
git config core.hooksPath .githooks
chmod +x .githooks/pre-commit scripts/scan-secret-bearing-artifacts.sh
chmod +x .githooks/pre-commit .githooks/pre-push scripts/scan-secret-bearing-artifacts.sh
```
Run it manually on staged changes:
Manual runs:
```bash
scripts/scan-secret-bearing-artifacts.sh --staged
scripts/scan-secret-bearing-artifacts.sh --tracked
scripts/scan-secret-bearing-artifacts.sh --git-range origin/main..HEAD
```
What each layer does:
- `pre-commit`: scans staged files before a local commit is created
- `pre-push`: scans the commits about to be pushed, including unpublished branch history
- GitHub Actions: runs the narrow artifact scan across tracked files and also runs Gitleaks on pushes and pull requests
What it is for:
- raw baselines
- exports
@@ -268,7 +277,9 @@ What it is for:
- similar machine-generated infra artifacts
What it is not:
- a full replacement for GitHub/GitGuardian or a generic secret scanner for every file type
- a full replacement for operator judgment about what belongs in the repo
- proof that a raw export is safe just because the scanner stayed quiet
- a reason to skip rotating live secrets if one ever does leak
## Security Reminders