35 lines
1.6 KiB
Markdown
35 lines
1.6 KiB
Markdown
# Secret Scanner Allowlist
|
|
|
|
## False positive patterns to ignore
|
|
|
|
### SOPS-encrypted secrets files
|
|
All `secrets.yaml` files in this repo are **SOPS-encrypted** (not plaintext). They contain encrypted ciphertext, not actual secrets. Ignore:
|
|
- `hosts/*/secrets.yaml`
|
|
- `hosts/*/modules/*/secrets.yaml`
|
|
- `utils/modules/*/secrets.yaml`
|
|
- Any `.yaml` file matching a `path_regex` in `.sops.yaml`
|
|
|
|
### Age public keys
|
|
The file `.sops.yaml` contains **age public keys** (prefix `age1...`). These are public keys used for encryption, not private keys. Ignore:
|
|
- Age public keys (`age1...`) in `.sops.yaml`
|
|
- Age public key references (YAML anchors like `&dominik`, `&fw`, etc.) in `.sops.yaml`
|
|
|
|
### Nix hashes and store paths
|
|
Nix derivations contain SHA256/SRI hashes for source integrity verification. These are not secrets. Ignore:
|
|
- `sha256` / `hash` attributes in `.nix` files (e.g., `sha256 = "sha256-..."` or `hash = "sha256-..."`)
|
|
- `npmDepsHash`, `vendorHash`, `cargoHash`, and similar dependency hashes
|
|
- Nix store paths (`/nix/store/...`)
|
|
- `nix-prefetch-url` output hashes
|
|
- SRI hashes (`sha256-...`, `sha512-...`)
|
|
|
|
### sops-nix module configuration
|
|
Nix files reference sops secret paths as configuration, not actual secret values. Ignore:
|
|
- `sops.secrets.<name>` attribute sets
|
|
- `sopsFile` path references
|
|
- `key` attributes within `sops.secrets` blocks (these are YAML key paths, not cryptographic keys)
|
|
- `neededForUsers` attributes
|
|
|
|
### Other safe patterns
|
|
- `flake.lock` — contains Nix flake input hashes (integrity, not secrets)
|
|
- SSH **public** key strings in NixOS configuration (e.g., `openssh.authorizedKeys.keys`)
|
|
- Wireguard **public** keys in NixOS configuration
|