Merge pull request #287 from PaystackHQ/security/add-secret-scanner-config

security: Add GitHub secret scanning config (assessment)

Author: adedoyin-paystack

.github/secret_scanning.yml

@@ -0,0 +1 @@
+paths-ignore: []

docs/memory/secret-scanning.md

@@ -0,0 +1,172 @@
+# Secret Scanning Assessment - Test Path Patterns
+
+**Date:** 2026-03-05
+**Repository:** nigerialogos
+**Branch:** security/add-secret-scanner-config
+
+## Summary
+
+This repository currently has **NO test infrastructure** configured. After a comprehensive assessment of the codebase, no test directories, test files, or test-related patterns were found.
+
+## Repository Overview
+
+- **Tech Stack:** Node.js (v20+), Vite, vanilla JavaScript, SCSS
+- **Project Type:** Static website for Nigerian company logos
+- **Test Framework:** None configured (package.json test script returns error)
+- **CI/CD:** GitHub Actions with CodeQL analysis only
+
+## Directory Structure
+
+```
+.
+├── .github/workflows/     (CI/CD workflows)
+├── .husky/               (Git hooks)
+├── public/               (Static assets and logos)
+│   ├── images/
+│   └── logos/
+├── src/
+│   ├── js/              (JavaScript modules)
+│   └── scss/            (Sass stylesheets)
+├── index.html
+├── main.js
+├── package.json
+└── vite.config.js
+```
+
+## Assessment Findings
+
+### Test Directories - None Found
+
+Searched for the following directory patterns:
+- ❌ `test/`
+- ❌ `tests/`
+- ❌ `__tests__/`
+- ❌ `spec/`
+- ❌ `specs/`
+- ❌ `e2e/`
+- ❌ `cypress/`
+- ❌ `playwright/`
+- ❌ `fixtures/`
+- ❌ `__fixtures__/`
+- ❌ `mocks/`
+- ❌ `__mocks__/`
+- ❌ `stubs/`
+- ❌ `testdata/`
+- ❌ `test-data/`
+- ❌ `seed/`
+- ❌ `seeds/`
+- ❌ `factories/`
+
+### Test Files - None Found
+
+Searched for the following file patterns:
+- ❌ `*.test.js`
+- ❌ `*.test.ts`
+- ❌ `*.test.jsx`
+- ❌ `*.test.tsx`
+- ❌ `*.spec.js`
+- ❌ `*.spec.ts`
+- ❌ `*.spec.jsx`
+- ❌ `*.spec.tsx`
+- ❌ `*.spec.rb`
+- ❌ `*.test.py`
+- ❌ `*_test.go`
+- ❌ `*_spec.rb`
+
+### Mobile/Android Test Paths - Not Applicable
+
+This is a web frontend project, not a mobile/Android app.
+- ❌ `src/test/**`
+- ❌ `src/androidTest/**`
+- ❌ `src/testDebug/**`
+
+### Test Configuration Files - None Found
+
+- ❌ No jest.config.js
+- ❌ No vitest.config.ts
+- ❌ No playwright.config.ts
+- ❌ No cypress.config.js
+- ❌ No test configuration detected
+
+### Name Collision Check
+
+Verified that no non-test directories or files would be accidentally matched by test patterns:
+- ✅ No directories with names like "testament", "protest", "contest"
+- ✅ No risk of false exclusions from test patterns
+
+## Recommendation
+
+**Empty `.github/secret_scanning.yml` configuration created.**
+
+Since this repository has no test infrastructure:
+1. There are no test fixtures, mock credentials, or seed data to exclude
+2. All source code should be scanned for secrets without exclusions
+3. An empty `paths-ignore: []` list correctly indicates no exclusions
+4. When test infrastructure is added in the future, this configuration should be updated
+
+## Future Considerations
+
+If test infrastructure is added to this repository, consider the following:
+
+1. **If Vitest/Jest is added:**
+   - Exclude patterns: `**/__tests__/**`, `**/*.test.js`, `**/*.spec.js`
+
+2. **If E2E testing (Playwright/Cypress) is added:**
+   - Exclude patterns: `**/e2e/**`, `**/cypress/**`, `**/playwright/**`
+   - Exclude fixtures: `**/fixtures/**`, `**/test-data/**`
+
+3. **If mock/seed data is added:**
+   - Exclude patterns: `**/__mocks__/**`, `**/seeds/**`, `**/factories/**`
+
+4. **General best practices:**
+   - Only exclude paths that contain test fixtures or mock credentials
+   - Never exclude .env files or documentation
+   - Be specific with patterns to avoid accidental exclusions
+   - Review exclusions regularly as the codebase evolves
+
+## Assessment Methodology
+
+This assessment was conducted using:
+1. Directory structure inspection via `ls` and `find` commands
+2. Pattern matching searches for all common test directory names
+3. Pattern matching searches for all common test file naming conventions
+4. Review of package.json for test framework configuration
+5. Verification of no name collisions with legitimate source directories
+
+---
+
+## Implementation
+
+**Date Implemented:** 2026-03-05
+**File Created:** `.github/secret_scanning.yml`
+
+### Configuration
+
+```yaml
+paths-ignore: []
+```
+
+### Justification
+
+An empty `paths-ignore` list was intentionally chosen because:
+
+1. ✅ **No test directories exist** - Comprehensive search found zero test infrastructure
+2. ✅ **No test files exist** - No `*.test.*` or `*.spec.*` files in the repository
+3. ✅ **No mock/fixture data** - No seed data, factories, or mock directories
+4. ✅ **Follows best practices** - Empty list is correct for repos with no tests, prevents over-exclusion
+5. ✅ **Maximum security** - All files will be scanned; no false negatives from overly broad patterns
+
+### Pattern Rules Applied
+
+- ❌ Did not add speculative patterns (no `test/**`, no `**/__tests__/**`)
+- ❌ Did not use broad wildcards (no `**/*test*/**`, no partial matches)
+- ❌ Did not exclude config files (no `*.config.*` patterns)
+- ❌ Did not exclude documentation or .env files
+- ✅ Created minimal, accurate configuration matching actual repo structure
+
+---
+
+**Assessment Status:** Complete ✅
+**Implementation Status:** Complete ✅
+**Action Required:** Commit and push configuration
+**Next Steps:** Convert draft PR to ready for review