# GitGuardian configuration # See: https://docs.gitguardian.com/ggshield-docs/reference/gitguardian-yaml secret: # Paths that contain test fixtures, example files, and dev configs — not real secrets ignored-paths: - "**/tests/**" - "**/test_*" - "**/conftest.py" - "**/*.test.*" - "**/testdata/**" - "deploy/env-example" - "features/**/tests/**" - "tests2/**" - "tests3/**" # Backup env files (deleted from tree, exist only in git history) - ".env.backup" - "deploy/compose/.env.bak" # Notebook test fixtures with test API keys - "packages/vexa-client/tests.ipynb" - "packages/vexa-client/tests/tutorial.ipynb" # Example/template files with placeholder credentials - "**/.pypirc.example" # Dashboard validation scripts with test tokens - "services/dashboard/agent-inspect.js" - "services/dashboard/agent-flow.js" - "services/dashboard/auth-validate*.js" - "services/dashboard/feature-validate.js" # Known test/dev patterns that are not real secrets ignored-matches: # Test admin tokens (hardcoded in test fixtures) - name: "test-admin-token" match: "test-admin-token*" - name: "changeme-default" match: "changeme" # Test API key prefixes (fake tokens in unit tests) - name: "test-vxa-bot-tokens" match: "vxa_bot_abc*" - name: "test-vxa-bot-testkey" match: "vxa_bot_testkey*" - name: "test-vxa-user-tokens" match: "vxa_user_*" # Chrome password-store flag (not a secret) - name: "chrome-password-store" match: "password-store=basic" # Helm chart template placeholders - name: "helm-changeme" match: "CHANGE_ME" # vexa-internal-secret default (used in dev only) - name: "internal-secret-default" match: "vexa-internal-secret" # staging admin token (dev-only, not production) - name: "staging-admin-token" match: "staging-admin-token" # test-admin-token-t3 (tests3 test cluster) - name: "test-cluster-token" match: "test-admin-token-t3" # Dev-only default database password (postgres:postgres for local dev) - name: "dev-postgres-password" match: "POSTGRES_PASSWORD=postgres" - name: "dev-db-password" match: "DB_PASSWORD=postgres" - name: "dev-db-password-value" match: "password: \"postgres\"" - name: "dev-db-url-password" match: "postgres:postgres@" # Dev-only MinIO defaults (non-production) - name: "dev-minio-access-key" match: "vexa-access-key" - name: "dev-minio-secret-key" match: "vexa-secret-key" # Dev-only JWT secret - name: "dev-jwt-secret" match: "vexa-dev-jwt-secret" # PyPI example placeholder - name: "pypi-placeholder" match: "your-pypi-api-token-here"