security: pre-commit secret scanner (prevent public-repo key leaks)#27
Conversation
…guard) After the gemini-config.json leak (root-level config outside the config/* gitignore), add prevention so it can't recur no matter who commits to this PUBLIC repo: - .githooks/pre-commit: blocks staging secret-bearing files (root *-config.json, .env, *.bak) AND any staged line matching credential patterns (xfb_/antfarm_/ sk-/gh?_/AIza/xai-/JWT/PEM/Discord/generic api_key=). Pure grep, no gitleaks install needed. --no-verify bypass for genuine false positives. - scripts/install-git-hooks.sh: points core.hooksPath at .githooks (run once/clone). Tested: blocks secret files + inline keys + PEM; clean commits pass, no errors. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ff0c832a86
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- diff filters ACM -> ACMR so a rename (git mv safe.txt .env, or → *-config.json) can't skip the filename block or the content scan. - add github_pat_ (fine-grained GitHub PAT) to the credential patterns; the old gh?_ rule only caught classic tokens. Tested: rename-to-.env and a github_pat_ token both block; clean commits pass. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
Queue audit (2026-07-13): merge-ready. CLEAN mergeable, CI green on node 18/20/22, and the codex review findings were addressed (c81ee13 closes the rename and fine-grained-PAT bypasses). Nothing equivalent exists on main, and the recent gemini-config.json leak (da2cdc3) is exactly the incident class this hook prevents. Recommend merge. |
Follow-up to the gemini-config.json leak (Petrus: keep IAK public, so prevent leaks instead of going private). Adds a dependency-free pre-commit secret scanner so a key can't be committed to this public repo again, regardless of who commits.
.githooks/pre-commit— blocks (a) staging secret-bearing files (root-level*-config.json,.env,*.bak— exactly how gemini-config.json slipped past theconfig/*gitignore), and (b) any staged line matching credential patterns: xfb_ / antfarm_ / sk- / gh?_ / AIza / xai- / JWT / PEM private key / Discord token / genericapi_key=. Pure grep, no gitleaks/trufflehog install required.git commit --no-verifybypass for genuine false positives (with a warning).scripts/install-git-hooks.sh— one-timegit config core.hooksPath .githooksper clone.Tested: blocks a secret config file, an inline
ghp_token, and a PEM key; clean commits pass with no errors. The commit adding the hook passed the hook's own scan.Already installed on the Mini (.git/hooks) for immediate protection. Merge to share it with the fleet; each clone runs the install script once.
🤖 Generated with Claude Code