mirror of
https://github.com/github/awesome-copilot.git
synced 2026-03-16 14:15:11 +00:00
446f0d767c
* New hook: secrets-scanner Add a secrets-scanner hook that scans files modified during a Copilot coding agent session for leaked secrets, credentials, and sensitive data. The hook runs on sessionEnd and inspects files in one of three scopes: - diff: only files changed in the current session (default) - staged: only files currently staged in the git index - all: every tracked file in the repository Detected pattern categories: - AWS access keys and secret keys - GCP service account credentials - Azure client secrets and storage connection strings - GitHub personal access tokens - Slack tokens (bot, user, webhook) - Private key headers (RSA, EC, DSA, OpenSSH, PEM) - Generic high-entropy bearer tokens - Internal IP:port strings Configurable via environment variables (SCAN_MODE, SCAN_SCOPE, SECRETS_ALLOWLIST) so teams can tune for their workflow without editing the script. Patterns are POSIX ERE (grep -E) compatible, with no PCRE metacharacters, for portability across macOS and Linux. Files: hooks.json, scan-secrets.sh, README.md * refactor: move PATTERNS array to top of scan-secrets.sh for discoverability Move the PATTERNS declaration to the top of the file so it is clearly visible and easy to customize, as suggested in code review. Added a descriptive header comment. No functional changes. --------- Co-authored-by: Shehab Sherif <shehabsherif0@users.noreply.github.com>