Skip to content

hallucinaut/no-secrets

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
README.md
README.md
Β 
Β 

Repository files navigation

πŸ”’ No Secrets - Security Documentation

Project: no-secrets

Purpose: Comprehensive documentation of sensitive information that must never be committed to version control

Maintainer: hallucinaut

Last Updated: 2026-02-12

Version: 2.0.0

⚠️ Critical Rules

Rule #1: Never Commit Secrets

Never commit any of the following to version control:

  • API keys and secrets
  • Database credentials
  • Cloud provider credentials
  • OAuth tokens
  • Cryptographic keys
  • Private SSH keys
  • SSL/TLS certificates
  • Environment configuration files with real values

Rule #2: Use Environment Variables

All secrets should be loaded from environment variables or secret management systems, never from code.

Rule #3: Use Secret Management Tools

  • AWS: Secrets Manager, IAM Roles
  • Google Cloud: Secret Manager
  • Kubernetes: Kubernetes Secrets
  • Docker: Docker Secrets
  • HashiCorp: Vault

Rule #4: Commit Templates, Not Values

  • Commit .env.example with placeholder values
  • Commit configuration templates, not production configs
  • Never commit actual secret values

πŸ“š Complete Secret Catalog

πŸ”΄ Environment Configuration Files

File Pattern Risk Level Description
.env Critical Environment variables file
.env.local Critical Local environment overrides
.env.development Critical Development environment secrets
.env.production Critical Production environment secrets
.env.test Critical Test environment secrets
.env.*.local Critical Any local override file
.env.*.development Critical Any dev override file
.env.*.production Critical Any prod override file

Example:

# ❌ BAD: Committing real values
DATABASE_URL=postgresql://admin:password@localhost:5432/mydb
API_KEY=sk_live_1234567890abcdef

# βœ… GOOD: Committing template
DATABASE_URL=postgresql://user:password@localhost:5432/database
API_KEY=your_api_key_here

πŸ—„οΈ Database Files

File Pattern Risk Level Description
*.db Critical SQLite database files
*.sqlite Critical SQLite database files
*.sqlite3 Critical SQLite 3 database files
*.db-journal Critical SQLite journal files
*.db-wal Critical SQLite WAL (Write-Ahead Logging) files

πŸ”‘ Cryptographic Keys & Certificates

File Pattern Risk Level Description
*.pem Critical Private key certificates, SSL certs
*.key Critical Private keys (RSA, ECDSA, DSA)
*.p12 Critical PFX/P12 keystore files
*.keypair Critical Key pair files
*.pkcs12 Critical PKCS#12 format certificates
*.csr Critical Certificate Signing Requests
*.crt Critical Certificate files
*.der Critical DER encoded certificates
*.pfx Critical PFX/P12 format certificates
*.cert Critical Certificate files
*.pub Critical Public keys, SSH public keys
*.cer Critical Certificate files
*.p7b Critical PKCS#7 certificate chains
*.p7c Critical PKCS#7 certificates
*.p7s Critical PKCS#7 signed certificates

Example:

# ❌ BAD: Committing private keys
server.key
private-key.pem
client.key
id_rsa

# βœ… GOOD: Using environment variables
export SSL_KEY=/run/secrets/server-key
export SSL_CERT=/run/secrets/server-cert

☁️ AWS Configuration

File Pattern Risk Level Description
.aws/credentials Critical AWS credentials file
.aws/config Critical AWS configuration file
aws-secrets Critical AWS secrets file
aws_keys.txt Critical AWS keys file
aws-config.json Critical AWS configuration JSON

Example:

# ❌ BAD: Committing AWS credentials
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# βœ… GOOD: Using IAM roles
export AWS_ROLE_ARN=arn:aws:iam::123456789012:role/MyAppRole

🌐 Google Cloud Configuration

File Pattern Risk Level Description
*.json Critical JSON service account files
service-account.json Critical GCP service account key
service-account.key Critical GCP service account key
gcp-keys.txt Critical GCP keys file
gcp-config.json Critical GCP configuration JSON
credentials.json Critical Google credentials file
gcp-service-account.json Critical GCP service account JSON

Example:

# ❌ BAD: Committing GCP credentials
{
  "type": "service_account",
  "project_id": "my-project",
  "private_key_id": "abc123",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...",
  "client_email": "..."
}

# βœ… GOOD: Using GCP Workload Identity
export GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/gcp-credentials

πŸ” API Keys & Secret Files

File Pattern Risk Level Description
api_keys.txt High API keys file
api_keys.json High API keys JSON
api_keys.yaml High API keys YAML
*.secret High Secret files (any format)
*.secret.json High Secret JSON files
*.secret.yaml High Secret YAML files
*.secret.yml High Secret YML files
private-key.txt Critical Private key text file
access-token.txt High Access token file
refresh-token.txt High Refresh token file
auth-token.txt High Authentication token file
session-token.txt High Session token file

🎫 OAuth Tokens

File Pattern Risk Level Description
*.token High Token files (any format)
oauth-token.txt High OAuth token file
refresh-token.txt High OAuth refresh token
access-token.txt High OAuth access token
client-secret.txt High OAuth client secret

🐳 Docker Secrets

File Pattern Risk Level Description
docker-secrets/ High Docker secrets directory
secrets.d/ High Secrets directory
docker-compose.override.yml High Docker compose override with secrets
docker-compose.secrets.yml High Docker compose secrets config
.dockerignore High Docker ignore file (if contains secrets)

πŸ“Š Monitoring & Analytics Secrets

File Pattern Risk Level Description
analytics-key.txt High Analytics service key
analytics-secret.json High Analytics secret JSON
mixpanel-secret.txt High Mixpanel secret
amplitude-secret.txt High Amplitude secret
segment-secret.txt High Segment secret
matomo-token.txt High Matomo token
datadog-api-key.txt High Datadog API key
newrelic-license-key.txt High New Relic license key
sentry-auth-token.txt High Sentry authentication token
bugsnag-api-key.txt High Bugsnag API key
rollbar-api-key.txt High Rollbar API key
hound-ci-token.txt High Hound CI token
coveralls.io-token.txt High Coveralls.io token

πŸ’³ Payment Processing Secrets

File Pattern Risk Level Description
stripe-secret-key.txt Critical Stripe secret key
stripe-publishable-key.txt High Stripe publishable key
paypal-client-id.txt High PayPal client ID
paypal-secret.txt Critical PayPal secret key

πŸ“§ Email & Communication Secrets

File Pattern Risk Level Description
sendgrid-api-key.txt High SendGrid API key
mailgun-api-key.txt High Mailgun API key
twilio-account-sid.txt High Twilio account SID
twilio-auth-token.txt High Twilio auth token

πŸ“± Social Media & Platform Secrets

File Pattern Risk Level Description
slack-api-token.txt High Slack API token
discord-token.txt High Discord bot token
github-token.txt High GitHub personal access token
gitlab-token.txt High GitLab personal access token
bitbucket-token.txt High Bitbucket personal access token
notion-api-key.txt High Notion API key
intercom-api-key.txt High Intercom API key
zendesk-api-key.txt High Zendesk API key
freshdesk-api-key.txt High Freshdesk API key
zoho-api-key.txt High Zoho API key

☁️ Cloud Provider Configuration

File Pattern Risk Level Description
cloud-config.json High Cloud configuration JSON
cloud-config.yaml High Cloud configuration YAML
terraform.tfvars High Terraform variables file
terraform.tfstate High Terraform state file
terraform.tfstate.backup High Terraform state backup
terraform-overrides.tfvars High Terraform overrides file
cloudformation-parameters.json High CloudFormation parameters
ansible-vars/ High Ansible variables directory
ansible-vault-password.txt High Ansible vault password
azure-credentials.json Critical Azure credentials JSON
azure-secrets.json High Azure secrets JSON
az-secrets.txt High Azure secrets text file

πŸ›‘οΈ Kubernetes Secrets

File Pattern Risk Level Description
k8s-secrets/ High Kubernetes secrets directory
kube-secrets/ High Kubernetes secrets directory
secrets/k8s/ High Kubernetes secrets subdirectory
secrets/kube/ High Kubernetes secrets subdirectory
*.secret.k8s High Kubernetes secret file
*.secret.kube High Kubernetes secret file

🌍 Database Migration Files

File Pattern Risk Level Description
migrations/secrets.sql High Secret SQL file
migrations/db-credentials.sql High Database credentials SQL

πŸ’Ύ Backup Files

File Pattern Risk Level Description
*.bak Low Backup files
*.backup Low Backup files
*.old Low Old files
*.orig Low Original files

πŸ’§ Docker Compose

File Pattern Risk Level Description
docker-compose.override.yml High Docker compose override
docker-compose.secrets.yml High Docker compose secrets file
.dockerignore High Docker ignore file

πŸ›οΈ HashiCorp Vault Secrets

File Pattern Risk Level Description
vault-secrets.json High Vault secrets JSON
vault-secrets.yaml High Vault secrets YAML
vault-secrets.yml High Vault secrets YML
vault_tokens/ High Vault tokens directory

πŸ—„οΈ Cache Files

File Pattern Risk Level Description
cache/ Low Cache directory
.cache/ Low Cache directory
*.cache Low Cache files

πŸ”’ Lock Files

File Pattern Risk Level Description
package-lock.json Low NPM lock file (sometimes contains tokens)
yarn.lock Low Yarn lock file (sometimes contains tokens)
pnpm-lock.yaml Low Pnpm lock file (sometimes contains tokens)
bun.lockb Low Bun lock file (sometimes contains tokens)

πŸ’Ύ Database Dump Files

File Pattern Risk Level Description
*.dump High Database dump files
*.sql High SQL files
*.sql.gz High Compressed SQL files
pg_dump.sql High PostgreSQL dump
mysqldump.sql High MySQL dump

πŸ“ Application Configuration

File Pattern Risk Level Description
config/production.json High Production configuration JSON
config/production.js High Production configuration JS
config/production.yaml High Production configuration YAML
config/production.yml High Production configuration YML
config/staging.json High Staging configuration JSON
config/staging.js High Staging configuration JS
config/staging.yaml High Staging configuration YAML
config/staging.yml High Staging configuration YML

πŸ“Š Logging Files

File Pattern Risk Level Description
logs/ Low Logs directory
*.log Low Log files
npm-debug.log* Low NPM debug logs
yarn-debug.log* Low Yarn debug logs
yarn-error.log* Low Yarn error logs
pnpm-debug.log* Low Pnpm debug logs
bun-debug.log* Low Bun debug logs
bun-error.log* Low Bun error logs

πŸ§ͺ Testing Files

File Pattern Risk Level Description
test-data/ High Test data directory
tests/fixtures/secrets/ High Test secrets fixtures
secrets-test-data/ High Secret test data

πŸš€ Deployment & CI/CD Secrets

File Pattern Risk Level Description
cicd-secrets/ High CI/CD secrets directory
github-actions-secrets/ High GitHub Actions secrets
gitlab-ci-secrets/ High GitLab CI secrets
bitbucket-pipelines-secrets/ High Bitbucket pipeline secrets

πŸ“‚ Data Files

File Pattern Risk Level Description
data/secrets.csv High Secrets CSV file
data/credentials.csv High Credentials CSV file
data/api_keys.csv High API keys CSV file
exports/ Medium Export directory
downloads/ Low Download directory
uploads/ Medium Upload directory
test-data/ High Test data directory
tests/fixtures/secrets/ High Test secrets fixtures
secrets-test-data/ High Secret test data
backups/ Medium Backup directory
snapshots/ Low Snapshot directory

πŸ–₯️ OS Generated Files

File Pattern Risk Level Description
.DS_Store Low macOS system files
Thumbs.db Low Windows thumbnail cache
desktop.ini Low Windows desktop configuration

πŸ“¦ Build Artifacts

File Pattern Risk Level Description
node_modules/ Low Node.js dependencies
npm-debug.log* Low NPM debug logs
yarn-debug.log* Low Yarn debug logs
yarn-error.log* Low Yarn error logs
lerna-debug.log* Low Lerna debug logs
dist/ Low Distribution directory
build/ Low Build directory
out/ Low Output directory
target/ Low Java target directory
*.log Low Log files

πŸ“₯ Data Export Files

File Pattern Risk Level Description
export/ Medium Export directory
exports/ Medium Exports directory
backups/ Medium Backup directory
snapshots/ Low Snapshot directory

πŸ”„ Temporary Files

File Pattern Risk Level Description
tmp/ Low Temporary directory
temp/ Low Temporary directory
*.tmp Low Temporary files

πŸ”΄ Critical (Immediate Action Required)

  • Database credentials
  • Database dump files
  • Private SSH keys
  • SSL/TLS private keys
  • AWS/GCP/Azure credentials
  • Payment processing keys
  • OAuth client secrets
  • HashiCorp Vault secrets

🟠 High (Critical for Security)

  • API keys and secrets
  • OAuth tokens
  • Email service keys
  • Monitoring/analytics keys
  • Cloud provider configurations
  • Docker secrets
  • Kubernetes secrets
  • Payment API keys

🟑 Medium (Should be Hidden)

  • Application configuration files
  • Deployment CI/CD secrets
  • IDE/editor files
  • Data files with secrets
  • Log files

🟒 Low (Usually Safe)

  • Build artifacts
  • OS generated files
  • Backup files
  • Temporary files
  • Cache files

πŸ”§ Security Best Practices

1. Use Environment Variables

Best Practice: Load secrets from environment variables or secret management systems.

# βœ… GOOD: Using environment variables
export API_KEY="sk_live_abc123"
export DATABASE_URL="postgresql://user:password@localhost:5432/db"

In Code:

// βœ… GOOD
const apiKey = process.env.API_KEY;

// ❌ BAD
const apiKey = "sk_live_abc123";

2. Create .env.example Templates

# .env.example (Safe to commit!)
API_KEY=your_api_key_here
DATABASE_URL=your_database_url_here
AWS_ACCESS_KEY_ID=your_access_key_here
AWS_SECRET_ACCESS_KEY=your_secret_key_here
STRIPE_SECRET_KEY=sk_test_...
TWILIO_AUTH_TOKEN=your_twilio_token

3. Use Secret Management Tools

Platform Tool Use Case
AWS Secrets Manager, IAM Roles Production secrets
Google Cloud Secret Manager GCP secrets
Kubernetes Kubernetes Secrets Container secrets
Docker Docker Secrets Docker Swarm secrets
HashiCorp Vault Enterprise secrets
Doppler Doppler CLI Simple secrets management
Infisical Infisical Self-hosted secrets

4. Set Up Pre-Commit Hooks

Create .git/hooks/pre-commit:

#!/bin/bash
echo "πŸ” Checking for secrets in commit..."

# Check for secret files
SECRET_PATTERNS=(
  "\.env"
  "\.env\."
  "*key"
  "*secret"
  "*token"
  "*credential"
  "*password"
  "*auth"
  "credentials"
  "aws"
  "gcp"
  "azure"
  "stripe"
  "paypal"
  "twilio"
  "sendgrid"
  "mailgun"
  "slack"
  "discord"
  "github"
  "gitlab"
  "bitbucket"
  "notion"
  "intercom"
  "zendesk"
  "freshdesk"
  "zoho"
  "datadog"
  "newrelic"
  "sentry"
  "bugsnag"
  "rollbar"
  "hound"
  "coveralls"
  "mixpanel"
  "amplitude"
  "segment"
  "matomo"
  "vault"
  "terraform"
  "cloudformation"
  "ansible"
)

for pattern in "${SECRET_PATTERNS[@]}"; do
  git diff --cached --name-only | grep -iE "$pattern" && {
    echo "❌ ERROR: Found secret file matching pattern: $pattern"
    exit 1
  }
done

echo "βœ… No secrets found"

Make executable:

chmod +x .git/hooks/pre-commit

5. Configure .gitignore

# Environment Configuration
.env
.env.local
.env.development
.env.production
.env.test
.env.*.local
.env.*.development
.env.*.production

# Database Files
*.db
*.sqlite
*.sqlite3
*.db-journal
*.db-wal

# Secret Keys and Tokens
*.pem
*.key
*.p12
*.keypair
*.pkcs12
*.csr
*.crt
*.der
*.pfx
*.cert
*.pub
*.cer
*.p7b
*.p7c
*.p7s

# Secrets Configuration Files
secrets.json
secrets.yaml
secrets.yml
config/secrets.js
config/secrets.py
config/secrets.php
secrets/

# AWS Configuration
.aws/credentials
.aws/config
aws-secrets
aws_keys.txt
aws-config.json

# Google Cloud Configuration
*.json
service-account.json
gcp-keys.txt
gcp-config.json
credentials.json

# API Keys and Secrets
api_keys.txt
api_keys.json
api_keys.yaml
*.secret
*.secret.json
*.secret.yaml
*.secret.yml
private-key.txt
access-token.txt
refresh-token.txt
auth-token.txt
session-token.txt

# OAuth Tokens
*.token
oauth-token.txt
refresh-token.txt
access-token.txt
client-secret.txt

# Docker Secrets
docker-secrets/
secrets.d/

# Build Artifacts
node_modules/
npm-debug.log*
yarn-debug.log*
yarn-error.log*
lerna-debug.log*

# IDE and Editor Files
.idea/
.vscode/
*.swp
*.swo
*~
.project
.classpath
.settings/
*.sublime-project
*.sublime-workspace
.history/

# Build Output
dist/
build/
out/
target/
*.log

# OS Generated
.DS_Store
Thumbs.db
desktop.ini

# Backups
*.bak
*.backup
*.old
*.orig

# Data Files (Potentially Containing Secrets)
data/secrets.csv
data/credentials.csv
data/api_keys.csv
exports/
downloads/
uploads/

# SSH Keys
*.pub
known_hosts
known_hosts.txt
ssh-keyscan.txt

# SSL/TLS Certificates
*.crt
*.cer
*.pem
*.key
*.der
*.p12
*.pfx
*.p7b
*.p7c
*.p7s

# SSL/TLS Configuration
ssl/
certs/
server.crt
server.key
client.crt
client.key

# Monitoring and Analytics Keys
analytics-key.txt
analytics-secret.json
mixpanel-secret.txt
amplitude-secret.txt
segment-secret.txt
matomo-token.txt

# Third-Party Service Keys
twilio-account-sid.txt
twilio-auth-token.txt
stripe-secret-key.txt
stripe-publishable-key.txt
paypal-client-id.txt
paypal-secret.txt
sendgrid-api-key.txt
mailgun-api-key.txt
slack-api-token.txt
discord-token.txt
github-token.txt
gitlab-token.txt
bitbucket-token.txt
notion-api-key.txt
intercom-api-key.txt
zendesk-api-key.txt
freshdesk-api-key.txt
zoho-api-key.txt
datadog-api-key.txt
newrelic-license-key.txt
sentry-auth-token.txt
bugsnag-api-key.txt
rollbar-api-key.txt
hound-ci-token.txt
coveralls.io-token.txt

# Cloud Provider Configs
cloud-config.json
cloud-config.yaml
terraform.tfvars
terraform.tfstate
terraform.tfstate.backup
terraform-overrides.tfvars
ansible-vars/
ansible-vault-password.txt

# Kubernetes Secrets (Base64 encoded secrets)
k8s-secrets/
kube-secrets/
secrets/k8s/
secrets/kube/
*.secret.k8s
*.secret.kube

# Deployment and CI/CD Secrets
cicd-secrets/
github-actions-secrets/
gitlab-ci-secrets/
bitbucket-pipelines-secrets/

# Application Configuration (Contains Secrets)
config/production.json
config/production.js
config/production.yaml
config/production.yml
config/staging.json
config/staging.js
config/staging.yaml
config/staging.yml

# Logging Files (May Contain Sensitive Info)
logs/
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
pnpm-debug.log*
bun-debug.log*
bun-error.log*

# Testing Data (Contains Secrets)
test-data/
tests/fixtures/secrets/
secrets-test-data/

# Docker Compose (Contains Secrets)
docker-compose.override.yml
docker-compose.secrets.yml

# HashiCorp Vault Secrets
vault-secrets.json
vault-secrets.yaml
vault-secrets.yml
vault_tokens/

# AWS CloudFormation / IaC Secrets
cloudformation-parameters.json
terraform.tfvars
terraform-overrides.tfvars

# Azure Secrets
azure-credentials.json
azure-secrets.json
az-secrets.txt

# Google Service Account Keys
service-account.json
service-account.key
gcp-service-account.json

# Database Migration Scripts (Contain DB URLs)
migrations/secrets.sql
migrations/db-credentials.sql

# Data Export Files
export/
exports/
backups/
snapshots/

# Temporary Files
tmp/
temp/
*.tmp

# Cache Files
cache/
.cache/
*.cache

# Lock Files (Contain API keys or secrets)
package-lock.json
yarn.lock
pnpm-lock.yaml
bun.lockb

# Database Dump Files
*.dump
*.sql
*.sql.gz
pg_dump.sql
mysqldump.sql

# Docker Ignore Patterns
docker-compose.override.yml
.dockerignore

6. Configure CI/CD Secrets Securely

GitHub Actions:

# .github/workflows/secure.yml
env:
  API_KEY: ${{ secrets.API_KEY }}
  DATABASE_URL: ${{ secrets.DATABASE_URL }}

GitLab CI:

variables:
  API_KEY: $CI_API_V4_URL/... # Use protected variables
  DATABASE_URL: $CI_API_V4_URL/...

7. Never Share Secrets in Chat

❌ NEVER share secrets directly:

  • API keys
  • Database passwords
  • OAuth tokens
  • SSH keys
  • Cloud credentials

βœ… USE placeholders:

API_KEY: [YOUR_API_KEY_HERE]
DATABASE_PASSWORD: [YOUR_DATABASE_PASSWORD_HERE]

8. Use .gitattributes for Encryption

# .gitattributes
# Encrypt secrets directory
secrets/ filter=git-crypt diff=git-crypt

# Set default behavior for git-crypt
*.key filter=git-crypt diff=git-crypt
*.pem filter=git-crypt diff=git-crypt
*.secret filter=git-crypt diff=git-crypt

πŸ€– AI Agent Safety Guidelines

When an AI agent analyzes your code:

1. Ask for Context First

  • "What type of application is this?"
  • "What services are being used?"
  • "What environment is this for?"

2. Use Environment Variables for Secrets

  • Never suggest hardcoding secrets in the code
  • Recommend .env files and secret management
  • Use process.env, os.getenv(), dotenv

3. Check .gitignore Files

  • Look for .gitignore in the repository
  • Verify it excludes sensitive files
  • Suggest adding missing patterns

4. Suggest Security Best Practices

  • Recommend using env vars for configuration
  • Suggest secret management tools
  • Check for hardcoded credentials

5. Avoid Suggesting Secret Storage

  • Don't suggest saving keys in config files
  • Don't suggest saving tokens in scripts
  • Don't suggest creating secret files

6. Validate Before Outputting

  • Verify all code doesn't contain secrets
  • Check for API keys, tokens, passwords
  • Ensure .env files are mentioned in documentation

7. Provide Examples

  • Show how to load environment variables
  • Provide .env.example templates
  • Show secret management patterns

πŸ” Check for Secrets

You can search for secrets in your repository using these simple shell commands:

Find Environment Files

find . -name ".env*" -type f

Find Key Files

find . -name "*key*" -type f | grep -v node_modules
find . -name "*secret*" -type f | grep -v node_modules

Find Token Files

find . -name "*token*" -type f | grep -v node_modules

Find Database Files

find . -name "*.db*" -type f
find . -name "*.sqlite*" -type f

Find AWS/GCP/Azure Configuration

find . -name "*.json" -type f | grep -E "(aws|gcp|azure|cloud)"
find . -name "*aws*" -type f | grep -v node_modules
find . -name "*gcp*" -type f | grep -v node_modules
find . -name "*azure*" -type f | grep -v node_modules

Find Payment Service Keys

find . -name "*stripe*" -type f
find . -name "*paypal*" -type f
find . -name "*twilio*" -type f
find . -name "*sendgrid*" -type f
find . -name "*mailgun*" -type f

Find Social Media Keys

find . -name "*slack*" -type f
find . -name "*discord*" -type f
find . -name "*github*" -type f
find . -name "*gitlab*" -type f
find . -name "*bitbucket*" -type f
find . -name "*notion*" -type f

Find Monitoring Keys

find . -name "*datadog*" -type f
find . -name "*newrelic*" -type f
find . -name "*sentry*" -type f
find . -name "*bugsnag*" -type f
find . -name "*rollbar*" -type f

Find Cloud IaC Files

find . -name "terraform*" -type f
find . -name "*.tfvars" -type f
find . -name "cloudformation*" -type f
find . -name "ansible*" -type f

Find Vault Secrets

find . -name "*vault*" -type f

Search in Git History

git log --all --source --full-history -- "*.env"
git log --all --source --full-history -- "*secret*"
git log --all --source --full-history -- "*key*"

βœ… Commit Checklist

Before committing, verify:

Environment Files

  • All .env files are in .gitignore
  • No .env files committed
  • .env.example is committed (template only)

Credential Files

  • No API keys in code
  • No private keys in code
  • No database passwords in code
  • No OAuth tokens in code
  • No AWS/GCP/Azure credentials

Configuration Files

  • Production config separated
  • Staging config separated
  • No hardcoded credentials
  • Secrets documented but not committed

Docker/Container

  • docker-compose.override.yml excluded
  • No secrets in Dockerfiles
  • .dockerignore includes secrets

IDE/Editor

  • No .idea/ committed
  • No .vscode/ committed
  • No editor config files

Build/Artifacts

  • No build output committed
  • No node_modules/
  • No dist/build/

Data Files

  • No test data with secrets
  • No exported credentials
  • No dumps containing secrets

Documentation

  • README includes instructions for creating .env files
  • Examples use placeholders
  • .env.example template is committed

πŸ“Š Statistics

Secret Categories Summary

Category Files Risk Level Count
Environment .env* Critical 8
Database *.db, *.sqlite Critical 5
Cryptographic *.key, *.pem, *.crt Critical 14
Cloud Provider *.json, aws*, gcp*, azure* Critical 16
API Keys api_keys*, *.secret High 15
OAuth Tokens *.token, oauth* High 5
Docker docker-secrets/ High 4
Kubernetes k8s-secrets/, kube-secrets/ High 6
Monitoring datadog*, newrelic*, sentry* High 12
Payment stripe*, paypal* Critical 4
Email sendgrid*, mailgun*, twilio* High 4
Social Media slack*, discord*, github-token* High 10
Cloud IaC terraform*, cloudformation*, ansible* High 9
IDE .idea/, .vscode/ Medium 11
Build node_modules/, dist/ Low 10
OS .DS_Store, Thumbs.db Low 3
Backup *.bak, *.backup Low 4
Data data/secrets*, exports/ High 10
SSL/TLS ssl/, certs/, server.key Critical 9
CI/CD cicd-secrets/ High 4
Logging logs/, *.log Low 10
TOTAL 180+ patterns

πŸŽ“ Learning Resources

Beginner

  • OWASP Top 10 - Cryptography
  • 12-Factor App - Configuration
  • GitHub Security Best Practices

Intermediate

  • AWS Secrets Manager Tutorial
  • HashiCorp Vault Getting Started
  • Kubernetes Secrets Management

Advanced

  • Cloud Security Best Practices
  • Docker Secret Management
  • CI/CD Security

🀝 Contributing

Contributions to this project are welcome! To add a new secret pattern:

  1. Identify the secret pattern (filename, directory, or content)
  2. Determine the risk level (Critical, High, Medium, Low)
  3. Add to the appropriate section
  4. Update statistics
  5. Commit with clear message

Example Contribution

Add: PayPal API key file pattern
File: paypal-api-key.txt
Risk: High
Reason: Contains PayPal payment API credentials

πŸ“ Project Info

  • Project Name: no-secrets
  • Purpose: Comprehensive documentation of secrets that must never be committed to version control
  • Maintainer: hallucinaut
  • Version: 2.0.0
  • Last Updated: 2026-02-12
  • License: MIT

πŸ™ Acknowledgments

This project serves as a reference for:

  • Developers learning about security
  • AI agents to avoid suggesting insecure code
  • DevOps engineers configuring secure pipelines
  • Security teams for audit and compliance
  • Project managers understanding security requirements

Special thanks to the security community and all contributors who help maintain these standards.

⚠️ Disclaimer

This document is for educational and reference purposes only. Always follow your organization's security policies and best practices for handling secrets. The creators and maintainers of this project are not responsible for any security incidents resulting from the use of this information.

Remember: Once a secret is committed to public git history, it can never truly be removed. Protect your secrets!

End of Document - Version 2.0.0 Last Updated: 2026-02-12

About

πŸ”’ Comprehensive documentation of secrets that must never be committed to version control. Includes patterns, best practices, and detection commands.

Topics

git security version-control best-practices secrets

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors