Dotfiles Security

This repository includes automated secret scanning to prevent sensitive information (API keys, passwords, private keys) from being pushed to GitHub.

Security Measures

Secret Scanner Script: scripts/security/scan_secrets.sh - Uses git grep with robust regex patterns to find potential secrets.
Git Hooks:
- pre-commit: Scans tracked files before every commit.
- pre-push: Scans tracked files before every push.
GitHub Action: .github/workflows/secret-scanning.yml - Runs Gitleaks on every push to the remote.
Enhanced Sync Script:
- .ignore_stow/git_push_dotfiles.sh This script explicitly runs the secret scanner before proceeding.

Ensure the git hooks are executable to activate the local protection:

chmod +x .git/hooks/pre-commit .git/hooks/pre-push

The hooks are configured to call scripts/security/scan_secrets.sh before every commit and push.

If the scanner finds a false positive (a string that looks like a secret but isn't), you can:

Refine the regex in scripts/security/scan_secrets.sh.
Add the file or directory to the EXCLUDE list in scripts/security/scan_secrets.sh.

Name		Name	Last commit message	Last commit date
Latest commit History 186 Commits
.github/workflows		.github/workflows
.ignore_stow		.ignore_stow
dunst/.config/dunst		dunst/.config/dunst
git		git
hypr/.config/hypr		hypr/.config/hypr
ignore		ignore
kanshi/.config/kanshi		kanshi/.config/kanshi
keyd/.config/keyd		keyd/.config/keyd
kitty/.config/kitty		kitty/.config/kitty
nvim/.config/nvim		nvim/.config/nvim
oh-my-zsh/.oh-my-zsh		oh-my-zsh/.oh-my-zsh
opencode/.config/opencode		opencode/.config/opencode
scripts		scripts
starship/.config/starship		starship/.config/starship
tmux/.config/tmux		tmux/.config/tmux
voxtype/.config/voxtype		voxtype/.config/voxtype
waybar/.config/waybar		waybar/.config/waybar
zsh		zsh
.gitignore		.gitignore
.stow-local-ignore		.stow-local-ignore
README.md		README.md