Harden secret hygiene and add automated leakage checks#2
Harden secret hygiene and add automated leakage checks#2Austin Humphrey (ahump20) wants to merge 8 commits into
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7773d354e7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
|
|
||
| failed=0 | ||
| for pattern in "${patterns[@]}"; do | ||
| if rg -n -P "${pattern}" . "${exclude_globs[@]}" > /tmp/secret_scan_hits.txt; then |
There was a problem hiding this comment.
The main scan uses rg on . without --hidden, so it silently skips hidden files/directories such as .github/** and .env.example; a committed secret in those paths will pass both npm run security:smoke and the CI workflow even though they are tracked source files. I verified this behavior locally by placing an API_KEY="..." value in a hidden file (.tmpsecret), which was not reported, while the same content in a non-hidden file was detected.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds repo-level guardrails to prevent secret leakage by introducing automated secret scanning in local workflows and CI, plus documenting expected secret handling.
Changes:
- Added a ripgrep-based secret “smoke check” script and wired it into npm scripts.
- Added CI secret scanning via a new GitHub Actions workflow (Gitleaks + smoke check).
- Introduced pre-commit detect-secrets configuration + baseline, updated
.gitignore, and documented the process inREADME.md.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/secret-smoke-check.sh | New repo-wide scan targeting credential-like patterns in source and build outputs. |
| package.json | Adds npm scripts to run the smoke check and local gitleaks helper. |
| .github/workflows/security.yml | New CI workflow to run gitleaks and the smoke check on PRs/pushes. |
| .pre-commit-config.yaml | Adds detect-secrets pre-commit hook configuration. |
| .secrets.baseline | Adds detect-secrets baseline file (currently empty). |
| .gitignore | Ignores .env.* while allowing .env.example. |
| .env.example | Adds a sanitized template guiding use of Cloudflare secret bindings. |
| README.md | Documents the secret hygiene expectations and the smoke check command. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if rg -n -P "sk-[A-Za-z0-9]{20,}|ghp_[A-Za-z0-9]{36}|AKIA[0-9A-Z]{16}" "$dir" > /tmp/build_secret_scan_hits.txt; then | ||
| echo "Potential secret token found in build output directory: $dir" | ||
| cat /tmp/build_secret_scan_hits.txt | ||
| failed=1 | ||
| fi |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
Copilot resolve the merge conflicts in this pull request |
| fi | ||
| done | ||
|
|
||
| build_dirs=(.next out build public) |
| - name: Run Gitleaks | ||
| uses: gitleaks/gitleaks-action@c7a0bdbe0cbf82e9ef5222da9d19923ad259c1bc # v2 | ||
| env: | ||
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| "plugins_used": [ | ||
| { |
| Before merging, run: | ||
|
|
||
| ```bash | ||
| npm run security:smoke | ||
| ``` | ||
|
|
||
| CI also runs Gitleaks plus the same smoke check on every PR. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 07c9bdc683
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
| fi | ||
| done | ||
|
|
||
| build_dirs=(.next out build public) |
There was a problem hiding this comment.
The smoke check explicitly rescans only .next, out, build, and public, but this repo’s TypeScript projects write build artifacts to dist under api, sync, and packages/analytics; because .gitignore ignores dist/, the earlier rg . pass will skip those directories. If a built Worker bundle or package output under api/dist contains a token, npm run security:smoke can still pass, which leaves the main artifact location unprotected.
Useful? React with 👍 / 👎.
| "sk-[A-Za-z0-9]{20,}" | ||
| "ghp_[A-Za-z0-9]{36}" | ||
| "AKIA[0-9A-Z]{16}" | ||
| "(?i)(api[_-]?key|secret|token)\\s*[:=]\\s*['\"][A-Za-z0-9_\\-]{12,}" |
There was a problem hiding this comment.
This generic assignment pattern requires the secret value to start with a quote, so common unquoted forms such as API_KEY=abcdefghijkl in shell/env-style files or api_key: abcdefghijkl in YAML are not reported by npm run security:smoke unless they also happen to match one of the hard-coded token prefixes. That leaves a straightforward false negative for credential-like assignments in non-hidden tracked files.
Useful? React with 👍 / 👎.
| env: | ||
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
This repository is under the Blaze-sports-Intel organization, and the official gitleaks/gitleaks-action@v2 documentation says organization-owned repos must provide GITLEAKS_LICENSE. Since the new workflow only passes GITHUB_TOKEN, the Gitleaks step will fail before the smoke check runs unless the repository is moved to a personal account or the license secret is added to this env block.
Useful? React with 👍 / 👎.
Merged |
Motivation
Description
.gitignoreand added a sanitized.env.examplethat documents server-only variables and points to Cloudflare secret bindings.scripts/secret-smoke-check.shto scan source and common build output directories for credential-like patterns and wired asecurity:smokenpm script and asecurity:gitleakshelper inpackage.json..github/workflows/security.ymlthat runsgitleaksand the smoke check on PRs and pushes, and added a pre-commitdetect-secretsconfig plus an empty.secrets.baseline.README.mdso maintainers runnpm run security:smokebefore merging.Testing
npm test(Vitest) and observed all tests pass.npm run security:smokeand it returnedSecret smoke check passed.Codex Task