# Secret Scanner Allowlist

## False positive patterns to ignore

### SOPS-encrypted secrets files
All `secrets.yaml` files in this repo are **SOPS-encrypted** (not plaintext). They contain encrypted ciphertext, not actual secrets. Ignore:
- `hosts/*/secrets.yaml`
- `hosts/*/modules/*/secrets.yaml`
- `utils/modules/*/secrets.yaml`
- Any `.yaml` file matching a `path_regex` in `.sops.yaml`

### Age public keys
The file `.sops.yaml` contains **age public keys** (prefix `age1...`). These are public keys used for encryption, not private keys. Ignore:
- Age public keys (`age1...`) in `.sops.yaml`
- Age public key references (YAML anchors like `&dominik`, `&fw`, etc.) in `.sops.yaml`

### Nix hashes and store paths
Nix derivations contain SHA256/SRI hashes for source integrity verification. These are not secrets. Ignore:
- `sha256` / `hash` attributes in `.nix` files (e.g., `sha256 = "sha256-..."` or `hash = "sha256-..."`)
- `npmDepsHash`, `vendorHash`, `cargoHash`, and similar dependency hashes
- Nix store paths (`/nix/store/...`)
- `nix-prefetch-url` output hashes
- SRI hashes (`sha256-...`, `sha512-...`)

### sops-nix module configuration
Nix files reference sops secret paths as configuration, not actual secret values. Ignore:
- `sops.secrets.<name>` attribute sets
- `sopsFile` path references
- `key` attributes within `sops.secrets` blocks (these are YAML key paths, not cryptographic keys)
- `neededForUsers` attributes

### Other safe patterns
- `flake.lock` — contains Nix flake input hashes (integrity, not secrets)
- SSH **public** key strings in NixOS configuration (e.g., `openssh.authorizedKeys.keys`)
- Wireguard **public** keys in NixOS configuration