This repository includes automated secret scanning to prevent sensitive information (API keys, passwords, private keys) from being pushed to GitHub.
- Secret Scanner Script:
scripts/security/scan_secrets.sh- Usesgit grepwith robust regex patterns to find potential secrets. - Git Hooks:
pre-commit: Scans tracked files before every commit.pre-push: Scans tracked files before every push.
- GitHub Action:
.github/workflows/secret-scanning.yml- Runs Gitleaks on every push to the remote. - Enhanced Sync Script:
.ignore_stow/git_push_dotfiles.shThis script explicitly runs the secret scanner before proceeding.
Ensure the git hooks are executable to activate the local protection:
chmod +x .git/hooks/pre-commit .git/hooks/pre-pushThe hooks are configured to call scripts/security/scan_secrets.sh before every commit and push.
If the scanner finds a false positive (a string that looks like a secret but isn't), you can:
- Refine the regex in
scripts/security/scan_secrets.sh. - Add the file or directory to the
EXCLUDElist inscripts/security/scan_secrets.sh.