secret-scan-config.json

{
  "//": [
    "Regexes used to scan the repository contents for secrets.",
    "If possible, try to make the regex match the entire secret, or",
    "allowedStrings might not work as expected. For example, if a regex",
    "matches only 'mongodb', this string by itself does not contain any of the",
    "strings in the allowlist, so it will still be flagged."
  ],
  "secretRegexes": {
    "mongodbUrl": "mongodb([+]srv)?://[^\\s]+",
    "firebaseJsonPrivateKeyFile": "-----BEGIN PRIVATE KEY-----[^\\s]+"
  },
  "//": [
    "To prevent a particular string from being flagged, add it (or a substring",
    "of it) to this array. This can be useful if your repository contains an",
    "example of what a credential should look like, a development credential",
    "(e.g. a database on localhost), or a previously leaked credential that",
    "has already been revoked. Obviously, do not put active credentials here."
  ],
  "allowedStrings": ["mongodb://127.0.0.1", "mongodb://localhost"],
  "//": [
    "Do not check for secrets in these files. You should almost always use",
    "allowedStrings instead of this. We only add this config because it",
    "naturally contains things that look like secrets, but aren't."
  ],
  "skippedFiles": [".secret-scan/secret-scan-config.json"]
}