Skip to content

Commit

Permalink
Describe secret scan config in README
Browse files Browse the repository at this point in the history
  • Loading branch information
@justinyaodu
justinyaodu committed Dec 13, 2023
1 parent c83c8b1 commit 736dad6
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 8 deletions.
16 changes: 8 additions & 8 deletions .secret-scan/secret-scan-config.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,4 @@
{
"//": [
"To prevent a particular string from being flagged, add it (or a substring",
"of it) to this array. This can be useful if your repository contains an",
"example of what a credential should look like, a development credential",
"(e.g. a database on localhost), or a previously leaked credential that",
"has already been revoked. Obviously, do not put active credentials here."
],
"allowedStrings": ["mongodb://127.0.0.1", "mongodb://localhost"],
"//": [
"Regexes used to scan the repository contents for secrets.",
"If possible, try to make the regex match the entire secret, or",
Expand All @@ -18,6 +10,14 @@
"mongodbUrl": "mongodb([+]srv)?://[^\\s]+",
"firebaseJsonPrivateKeyFile": "-----BEGIN PRIVATE KEY-----[^\\s]+"
},
"//": [
"To prevent a particular string from being flagged, add it (or a substring",
"of it) to this array. This can be useful if your repository contains an",
"example of what a credential should look like, a development credential",
"(e.g. a database on localhost), or a previously leaked credential that",
"has already been revoked. Obviously, do not put active credentials here."
],
"allowedStrings": ["mongodb://127.0.0.1", "mongodb://localhost"],
"//": [
"Do not check for secrets in these files. You should almost always use",
"allowedStrings instead of this. We only add this config because it",
Expand Down
10 changes: 10 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,16 @@ Initialize your repository's `.gitignore` with the Node.js template from [`githu
git push
```

1. Create a file called `fake-env` somewhere in your repository, and paste the following text into it:

```
mongodb://this-is-a-fake-database
```

If you run `git commit`, you should see an error like `SECRET DETECTED in working tree, file "fake-env"`. This secret scanning tool aims to prevent credentials or other secrets from being committed to Git by accident. After deleting `fake-env`, you should be able to commit again.

To customize what kinds of secrets are detected, especially if you will use credentials for something other than MongoDB or Firebase, see `.secret-scan/secret-scan-config.json` in your repository.

1. Ask anyone else who has already cloned the repository to run `npm install` in the frontend and backend again, so that the Git hooks are installed for them as well.

### CI Configuration
Expand Down

0 comments on commit 736dad6

Please sign in to comment.