Skip to content

docs: add production deployment map and onboarding verify guardrails #240

docs: add production deployment map and onboarding verify guardrails

docs: add production deployment map and onboarding verify guardrails #240

Workflow file for this run

name: Secret Guard
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
jobs:
scan-secrets:
name: Scan for leaked secrets & PII
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@main
with:
path: ./
extra_args: --only-verified
scan-custom-patterns:
name: Scan for internal infrastructure leaks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Check for Tailscale / internal IPs
run: |
set -e
PATTERNS='100\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}'
MATCHES=$(git grep -nE "$PATTERNS" -- '*.md' '*.ts' '*.tsx' '*.js' '*.json' '*.yaml' '*.yml' '*.sh' '*.py' | grep -v '^.github/workflows/secret-guard.yml:' || true)
if [ -n "$MATCHES" ]; then
echo "❌ INTERNAL IP ADDRESSES DETECTED:"
echo "$MATCHES"
exit 1
fi
echo "✅ No internal IPs found"
- name: Check for real usernames in paths
run: |
set -e
# Block real home directories while allowing documented placeholders.
MAC_HOME='/Users/'
LINUX_HOME='/home/'
PATTERNS="${MAC_HOME}[^/]+/|${LINUX_HOME}[^/]+/"
MATCHES=$(git grep -nE "$PATTERNS" -- '*.md' '*.ts' '*.tsx' '*.js' '*.json' '*.yaml' '*.yml' '*.sh' '*.py' \
| grep -v '^.github/workflows/secret-guard.yml:' \
| grep -v '^\.planning/' \
| grep -vE '(/Users/yourname/|/Users/USERNAME/|/Users/\$USER/|/home/yourname/|/home/USERNAME/|/home/\$USER/)' \
|| true)
if [ -n "$MATCHES" ]; then
echo "❌ REAL USERNAME PATHS DETECTED:"
echo "$MATCHES"
exit 1
fi
echo "✅ No real username paths found"
- name: Check for internal domains
run: |
set -e
# Add your own internal domains here
BLOCKLIST='epiloguecapital|your-internal-domain-here'
MATCHES=$(git grep -niE "$BLOCKLIST" -- '*.md' '*.ts' '*.tsx' '*.js' '*.json' '*.yaml' '*.yml' '*.sh' '*.py' | grep -v '^.github/workflows/secret-guard.yml:' || true)
if [ -n "$MATCHES" ]; then
echo "❌ INTERNAL DOMAINS DETECTED:"
echo "$MATCHES"
exit 1
fi
echo "✅ No internal domains found"
- name: Check for .env.local commits
run: |
set -e
if git ls-files | grep -Eq '(^|/)\.env\.local$'; then
echo "❌ .env.local is committed anywhere in the repo — move secrets to .env.example with placeholders"
exit 1
fi
echo "✅ No .env.local in git"
scan-filenames:
name: Scan for suspicious filenames
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Check for credential files
run: |
set -e
SUSPICIOUS=$(git ls-files | grep -iE '\.pem$|\.key$|\.p12$|\.pfx$|id_rsa|id_ed25519|credentials\.json|service-account.*\.json' || true)
if [ -n "$SUSPICIOUS" ]; then
echo "❌ SUSPICIOUS FILES DETECTED:"
echo "$SUSPICIOUS"
exit 1
fi
echo "✅ No credential files in git"