Files
truenas-stacks/docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md

3.6 KiB

Incident: UniFi Baseline Secret Leak (2026-05-22)

Summary

A raw UniFi baseline export was committed to the main truenas-stacks repo during the May 22, 2026 network-cutover documentation pass. GitGuardian later flagged three secret leaks in the latest commits.

The leaked material came from a controller export artifact, not from a normal .env file.

What leaked

The committed file contained three WireGuard secrets in home/doris-dashboard/docs/baselines/unifi-object-baseline-2026-05-22-024653.json:

  1. an embedded wireguard_client_configuration_file containing a PrivateKey = ...
  2. one x_wireguard_private_key
  3. another x_wireguard_private_key

How it happened

The failure mode was:

  1. a read-only UniFi object baseline was captured to support cautious cutover work
  2. the export was saved as a raw JSON artifact under home/doris-dashboard/docs/baselines/
  3. that raw export was treated like a harmless recon artifact and committed alongside other network redesign docs
  4. the export included VPN/WireGuard fields that are safe for controller runtime but unsafe for a git-tracked documentation repo
  5. GitGuardian detected the leaked keys after push

Root cause

This was a process failure, not a git-crypt failure.

The repo already had rules for .env secrets, but not a strong enough rule for controller exports / diagnostic baselines / machine snapshots that may embed secrets even when they are not named .env.

In short:

  • we protected the usual secret files
  • we did not treat raw infrastructure exports as secret-bearing by default

Remediation completed

The following remediation was performed:

  • the leaked values were removed from the working tree
  • git history was rewritten to purge the exact leaked values
  • cleaned history was force-pushed to both origin and github
  • raw JSON baseline exports under home/doris-dashboard/docs/baselines/ were moved out of the main repo policy
  • the repo now documents that only sanitized summaries or explicitly redacted artifacts belong in the main repo

New permanent rules

  1. Raw controller/API exports do not belong in the main repo.
    • Examples: UniFi networkconf, portconf, full appliance JSON dumps, diagnostic snapshots, vendor backups, tunnel/client config exports.
  2. Assume machine exports are secret-bearing until proven otherwise.
    • If it came from a controller or appliance, inspect it like a secret file.
  3. Only commit one of these:
    • a markdown summary
    • a purpose-built redacted JSON artifact
    • a generated diff with secret-bearing keys removed
  4. Before committing infra artifacts, scan them explicitly.
    • Look for terms like private_key, wireguard, token, secret, password, Authorization, cookie, client_secret.
  5. If raw export retention is required, store it outside the main repo.
    • Prefer the encrypted secrets repo or another non-public operator-only location.
  6. If a secret-bearing export is committed, treat it as an incident.
    • redact/remove from current tree
    • rewrite history
    • force-push
    • rotate live credentials/keys as appropriate

History cleanup fixed the repo exposure. If any leaked WireGuard keys were active in production at the time of exposure, rotate them deliberately and update affected clients.

Prevent-recurrence checklist

  • raw exports ignored by default in the repo path where they are commonly captured
  • incident documented in SECRETS_MANAGEMENT.md
  • dashboard baseline directory has a README explaining what may and may not be committed
  • future cutover notes point to sanitized summaries rather than raw exports