Purpose
- Feature name: Secrets hygiene
- Why this feature exists: Prevent accidental exposure of secrets in a public repo and deployments.
Scope
In scope
NEXT_PUBLIC_* safety rules- secrets scanning in CI
- local lightweight scanning guidance
Out of scope
- dependency scanning (covered in supply chain features)
- incident response procedures (covered in operations runbooks)
- CI workflow configured for secrets scanning
- environment variable contract documented
Procedure / Content
Feature summary
- Feature name: Secrets hygiene
- Feature group: Security posture and hardening
- Technical summary: Enforces public-safe environment variables and scans for secrets in CI.
- Low-tech summary: Stops sensitive data from ending up in public code.
Feature in action
- Where to see it working: CI runs on PRs and main; repo remains free of secrets.
Confirmation Process
Manual
- Steps: Review
.env.example and confirm no secrets are documented.
- What to look for: No secret-like values in public config or repo history.
- Artifacts or reports to inspect: CI
secrets:scan job output.
Tests
- Unit tests: None specific.
- E2E tests: None.
- Secrets committed to the repo.
- CI secrets scan disabled or skipped.
Long-term maintenance notes
- Revalidate environment variable docs after config changes.
- Keep secret scanning tools up to date.
- TruffleHog (CI)
- GitHub Actions
Source code references (GitHub URLs)
ADRs
Runbooks
Additional internal references
External reference links
Validation / Expected outcomes
- Secrets scans pass in CI.
- No secrets appear in public configuration files.
Failure modes / Troubleshooting
- Scan failures: inspect findings, remove secrets, rotate credentials.
- False positives: document rationale and adjust patterns if needed.
References