DM Commerce OS ships with repeatable tooling to surface and clean sensitive data before publishing portfolio builds. This document explains how to run the scan, interpret reports, sanitize findings, and (optionally) sweep Git history.
pnpm scan:sensitive
# or
npm run scan:sensitiveThe scan inspects the working tree (excluding .git, .next, node_modules, public/screenshots, and prisma/dev.db) for:
- Private keys
- JWT or opaque bearer tokens
- Generic API keys / secrets / passwords
- Environment variables accidentally committed (except
.env.example) - Personal-looking emails (excluding
demo@local.test) - Large or binary files needing manual review
- CSV/JSON files with ≥100 rows containing PII columns
- Console table of the top 50 hits (path, line, type, snippet)
scan-report.jsonwith the full finding list (matchTextcontains the raw match)
Use --json for machine-readable output, or --pattern "<regex>" to add a custom detector on demand.
Review scan-report.json first. When ready:
pnpm sanitize -- --redact # replace inline secrets with REDACTED
pnpm sanitize -- --delete --redact # delete non-essential files & redact code
pnpm sanitize -- --interactive ... # prompt before each changeSanitization rules:
- Always creates backups under
.sanitized-backup/<timestamp>/... - Keeps required demo assets (e.g.,
/public/files/*.pdf,.env.example, source files) - For code, only the secret value is replaced by
REDACTED
If a leaked secret ever landed in history, follow scripts/history-sweep.md to:
- Create a safety branch
- Run gitleaks or truffleHog across history
- Rewrite commits with
git filter-repo - Force-push once validated
- Re-run
pnpm scan:sensitivebefore every push (hooked toprepush) - Store real secrets outside the repository
- Rotate any secret discovered in history, even after removal
- Document incidents and mitigation steps for future reference
For security concerns or findings needing escalation, add notes to scan-report.json, commit the sanitized state, and highlight risks in the PR description.