From 93e93c579d0a7936c36e4b77b28c9da921db03d1 Mon Sep 17 00:00:00 2001 From: Jocelyn van Heerde Date: Thu, 5 Mar 2026 16:57:27 +0200 Subject: [PATCH 1/2] docs: assess test path patterns for secret scanning config Co-Authored-By: Claude Sonnet 4.5 --- docs/memory/secret-scanning.md | 139 +++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 docs/memory/secret-scanning.md diff --git a/docs/memory/secret-scanning.md b/docs/memory/secret-scanning.md new file mode 100644 index 0000000..fe839ed --- /dev/null +++ b/docs/memory/secret-scanning.md @@ -0,0 +1,139 @@ +# Secret Scanning Assessment - Test Path Patterns + +**Date:** 2026-03-05 +**Repository:** nigerialogos +**Branch:** security/add-secret-scanner-config + +## Summary + +This repository currently has **NO test infrastructure** configured. After a comprehensive assessment of the codebase, no test directories, test files, or test-related patterns were found. + +## Repository Overview + +- **Tech Stack:** Node.js (v20+), Vite, vanilla JavaScript, SCSS +- **Project Type:** Static website for Nigerian company logos +- **Test Framework:** None configured (package.json test script returns error) +- **CI/CD:** GitHub Actions with CodeQL analysis only + +## Directory Structure + +``` +. +├── .github/workflows/ (CI/CD workflows) +├── .husky/ (Git hooks) +├── public/ (Static assets and logos) +│ ├── images/ +│ └── logos/ +├── src/ +│ ├── js/ (JavaScript modules) +│ └── scss/ (Sass stylesheets) +├── index.html +├── main.js +├── package.json +└── vite.config.js +``` + +## Assessment Findings + +### Test Directories - None Found + +Searched for the following directory patterns: +- ❌ `test/` +- ❌ `tests/` +- ❌ `__tests__/` +- ❌ `spec/` +- ❌ `specs/` +- ❌ `e2e/` +- ❌ `cypress/` +- ❌ `playwright/` +- ❌ `fixtures/` +- ❌ `__fixtures__/` +- ❌ `mocks/` +- ❌ `__mocks__/` +- ❌ `stubs/` +- ❌ `testdata/` +- ❌ `test-data/` +- ❌ `seed/` +- ❌ `seeds/` +- ❌ `factories/` + +### Test Files - None Found + +Searched for the following file patterns: +- ❌ `*.test.js` +- ❌ `*.test.ts` +- ❌ `*.test.jsx` +- ❌ `*.test.tsx` +- ❌ `*.spec.js` +- ❌ `*.spec.ts` +- ❌ `*.spec.jsx` +- ❌ `*.spec.tsx` +- ❌ `*.spec.rb` +- ❌ `*.test.py` +- ❌ `*_test.go` +- ❌ `*_spec.rb` + +### Mobile/Android Test Paths - Not Applicable + +This is a web frontend project, not a mobile/Android app. +- ❌ `src/test/**` +- ❌ `src/androidTest/**` +- ❌ `src/testDebug/**` + +### Test Configuration Files - None Found + +- ❌ No jest.config.js +- ❌ No vitest.config.ts +- ❌ No playwright.config.ts +- ❌ No cypress.config.js +- ❌ No test configuration detected + +### Name Collision Check + +Verified that no non-test directories or files would be accidentally matched by test patterns: +- ✅ No directories with names like "testament", "protest", "contest" +- ✅ No risk of false exclusions from test patterns + +## Recommendation + +**No `.github/secret_scanning.yml` configuration is needed at this time.** + +Since this repository has no test infrastructure: +1. There are no test fixtures, mock credentials, or seed data to exclude +2. All source code should be scanned for secrets without exclusions +3. When test infrastructure is added in the future, this assessment should be revisited + +## Future Considerations + +If test infrastructure is added to this repository, consider the following: + +1. **If Vitest/Jest is added:** + - Exclude patterns: `**/__tests__/**`, `**/*.test.js`, `**/*.spec.js` + +2. **If E2E testing (Playwright/Cypress) is added:** + - Exclude patterns: `**/e2e/**`, `**/cypress/**`, `**/playwright/**` + - Exclude fixtures: `**/fixtures/**`, `**/test-data/**` + +3. **If mock/seed data is added:** + - Exclude patterns: `**/__mocks__/**`, `**/seeds/**`, `**/factories/**` + +4. **General best practices:** + - Only exclude paths that contain test fixtures or mock credentials + - Never exclude .env files or documentation + - Be specific with patterns to avoid accidental exclusions + - Review exclusions regularly as the codebase evolves + +## Assessment Methodology + +This assessment was conducted using: +1. Directory structure inspection via `ls` and `find` commands +2. Pattern matching searches for all common test directory names +3. Pattern matching searches for all common test file naming conventions +4. Review of package.json for test framework configuration +5. Verification of no name collisions with legitimate source directories + +--- + +**Assessment Status:** Complete +**Action Required:** None - no secret scanning configuration needed +**Next Steps:** Review this assessment before closing the PR From d04161f09311fe61fe24dad6ea74aa6f98bd9e8e Mon Sep 17 00:00:00 2001 From: Jocelyn van Heerde Date: Thu, 5 Mar 2026 17:44:00 +0200 Subject: [PATCH 2/2] security: add GitHub secret scanning config with test path exclusions Created .github/secret_scanning.yml with empty paths-ignore list, which is the correct configuration for repositories with no test infrastructure. This ensures all files are scanned for secrets without over-exclusion. - Assessment confirmed zero test directories, files, or frameworks - Empty paths-ignore: [] follows GitHub best practices for repos without tests - Updated documentation to reflect implementation status Co-Authored-By: Claude Sonnet 4.5 --- .github/secret_scanning.yml | 1 + docs/memory/secret-scanning.md | 43 ++++++++++++++++++++++++++++++---- 2 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 .github/secret_scanning.yml diff --git a/.github/secret_scanning.yml b/.github/secret_scanning.yml new file mode 100644 index 0000000..30b68e8 --- /dev/null +++ b/.github/secret_scanning.yml @@ -0,0 +1 @@ +paths-ignore: [] diff --git a/docs/memory/secret-scanning.md b/docs/memory/secret-scanning.md index fe839ed..e8a7f06 100644 --- a/docs/memory/secret-scanning.md +++ b/docs/memory/secret-scanning.md @@ -96,12 +96,13 @@ Verified that no non-test directories or files would be accidentally matched by ## Recommendation -**No `.github/secret_scanning.yml` configuration is needed at this time.** +**Empty `.github/secret_scanning.yml` configuration created.** Since this repository has no test infrastructure: 1. There are no test fixtures, mock credentials, or seed data to exclude 2. All source code should be scanned for secrets without exclusions -3. When test infrastructure is added in the future, this assessment should be revisited +3. An empty `paths-ignore: []` list correctly indicates no exclusions +4. When test infrastructure is added in the future, this configuration should be updated ## Future Considerations @@ -134,6 +135,38 @@ This assessment was conducted using: --- -**Assessment Status:** Complete -**Action Required:** None - no secret scanning configuration needed -**Next Steps:** Review this assessment before closing the PR +## Implementation + +**Date Implemented:** 2026-03-05 +**File Created:** `.github/secret_scanning.yml` + +### Configuration + +```yaml +paths-ignore: [] +``` + +### Justification + +An empty `paths-ignore` list was intentionally chosen because: + +1. ✅ **No test directories exist** - Comprehensive search found zero test infrastructure +2. ✅ **No test files exist** - No `*.test.*` or `*.spec.*` files in the repository +3. ✅ **No mock/fixture data** - No seed data, factories, or mock directories +4. ✅ **Follows best practices** - Empty list is correct for repos with no tests, prevents over-exclusion +5. ✅ **Maximum security** - All files will be scanned; no false negatives from overly broad patterns + +### Pattern Rules Applied + +- ❌ Did not add speculative patterns (no `test/**`, no `**/__tests__/**`) +- ❌ Did not use broad wildcards (no `**/*test*/**`, no partial matches) +- ❌ Did not exclude config files (no `*.config.*` patterns) +- ❌ Did not exclude documentation or .env files +- ✅ Created minimal, accurate configuration matching actual repo structure + +--- + +**Assessment Status:** Complete ✅ +**Implementation Status:** Complete ✅ +**Action Required:** Commit and push configuration +**Next Steps:** Convert draft PR to ready for review