nixos/.claude/secret-scanner.md

Secret Scanner Allowlist

False positive patterns to ignore

SOPS-encrypted secrets files

All secrets.yaml files in this repo are SOPS-encrypted (not plaintext). They contain encrypted ciphertext, not actual secrets. Ignore:

• hosts/*/secrets.yaml
• hosts/*/modules/*/secrets.yaml
• utils/modules/*/secrets.yaml
• Any .yaml file matching a path_regex in .sops.yaml

Age public keys

The file .sops.yaml contains age public keys (prefix age1...). These are public keys used for encryption, not private keys. Ignore:

• Age public keys (age1...) in .sops.yaml
• Age public key references (YAML anchors like &dominik, &fw, etc.) in .sops.yaml

Nix hashes and store paths

Nix derivations contain SHA256/SRI hashes for source integrity verification. These are not secrets. Ignore:

• sha256 / hash attributes in .nix files (e.g., sha256 = "sha256-..." or hash = "sha256-...")
• npmDepsHash, vendorHash, cargoHash, and similar dependency hashes
• Nix store paths (/nix/store/...)
• nix-prefetch-url output hashes
• SRI hashes (sha256-..., sha512-...)

sops-nix module configuration

Nix files reference sops secret paths as configuration, not actual secret values. Ignore:

• sops.secrets.<name> attribute sets
• sopsFile path references
• key attributes within sops.secrets blocks (these are YAML key paths, not cryptographic keys)
• neededForUsers attributes

Other safe patterns

• flake.lock — contains Nix flake input hashes (integrity, not secrets)
• SSH public key strings in NixOS configuration (e.g., openssh.authorizedKeys.keys)
• Wireguard public keys in NixOS configuration