Files
truenas-stacks/home/doris-dashboard/docs/baselines/README.md
Hermes Agent d62a391cbf
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
Layer secret leak guardrails
2026-05-22 21:23:15 +00:00

1.5 KiB

Baselines Directory Policy

This directory is for sanitized operator artifacts only.

What belongs here

  • markdown summaries of controller state
  • redacted JSON examples that have been intentionally scrubbed
  • operator notes that support future change windows

What does not belong here

  • raw UniFi controller exports
  • full networkconf / portconf dumps captured straight from the API
  • VPN client/server config exports
  • any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config

Why this rule exists

A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident.

See:

  • docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md
  • docs/operations/SECRETS_MANAGEMENT.md

Safe workflow

  1. Capture raw exports outside the main repo or in the encrypted secrets repo.
  2. Inspect them for secret-bearing fields.
  3. Commit only a markdown summary or an explicitly redacted artifact.
  4. Prefer human-readable summaries over raw appliance dumps.
  5. Enable the repo guardrails in each clone:
    git config core.hooksPath .githooks
    chmod +x .githooks/pre-commit .githooks/pre-push scripts/scan-secret-bearing-artifacts.sh
    
  6. Before a risky push or cleanup branch, run the manual checks too:
    scripts/scan-secret-bearing-artifacts.sh --tracked
    scripts/scan-secret-bearing-artifacts.sh --git-range origin/main..HEAD