Skip to content

Commit 1aa1c04

Browse files
chore(hooks): flag tailnet hostnames and CGNAT IPs in the secret scan
Extend the pre-commit secret-scan to catch environment-specific values (*.ts.net MagicDNS names and 100.64.0.0/10 tailnet IPs) so live infra can't be committed into code, docs, or examples. Verified: detects leaks, no false positive on 192.0.2.x or non-CGNAT 100.x, and the script does not self-trip.
1 parent 239eb33 commit 1aa1c04

1 file changed

Lines changed: 7 additions & 2 deletions

File tree

scripts/secret-scan.sh

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,12 +52,17 @@ check_pattern "Honcho-style JWT (likely)" 'eyJ[A-Za-z0-9_-]{20,}\.eyJ[A-Za-z0-9_
5252
check_pattern "RSA/EC/DSA/OpenSSH private key block" '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'
5353
check_pattern "Generic hardcoded password" '(password|passwd|pwd)[[:space:]]*[:=][[:space:]]*["'\'']\w{8,}["'\'']'
5454

55+
# Environment-specific values — keep live infra out of committed code/docs/PRs.
56+
# Use examples instead (honcho.example.net; 192.0.2.x per RFC 5737 TEST-NET).
57+
check_pattern "Tailnet hostname (env-specific; use example.net)" '[A-Za-z0-9-]+\.ts\.net'
58+
check_pattern "Tailnet/CGNAT IP (env-specific; use 192.0.2.x)" '100\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3}\.[0-9]{1,3}'
59+
5560
if [ $FOUND -eq 1 ]; then
56-
printf '\n\033[31m✗ Secret scan: potential secrets in staged changes\033[0m\n' >&2
61+
printf '\n\033[31m✗ Secret scan: potential secrets or environment-specific values in staged changes\033[0m\n' >&2
5762
printf '%b' "$FINDINGS" >&2
5863
printf '\n' >&2
5964
printf 'If this is a false positive, bypass with: \033[33mgit commit --no-verify\033[0m\n' >&2
60-
printf 'Otherwise: remove the secret, rotate the credential, and re-stage.\n\n' >&2
65+
printf 'Otherwise: remove the secret/value (use an example), rotate if a credential, and re-stage.\n\n' >&2
6166
exit 1
6267
fi
6368

0 commit comments

Comments
 (0)