IMPORTANT: Before submitting, please remove all sensitive data, secrets, tokens, or confidential information. Ensure you've redacted any NDA-covered information, IP addresses, resource names, or security-related details that shouldn't be publicly disclosed.
Problem Statement
Secretlint (secret detection) currently runs via MegaLinter without a dedicated configuration file. This means:
- No allowlist for test/example credentials (false positives)
- No ignore patterns for documentation and test fixtures
- Template variables (
${...}, {{...}}) may trigger false positives
- Configuration is not portable for direct tool usage
Proposed Solution
Create .secretlintrc.json configuration file at repository root:
{
"$schema": "https://raw.githubusercontent.com/secretlint/secretlint/master/packages/@secretlint/config-loader/secretlintrc.schema.json",
"rules": [
{
"id": "@secretlint/secretlint-rule-preset-recommend",
"options": {
"allows": [
"/testpass.*/i",
"/password123/i",
"/mock_.*/i",
"/fake_.*/i",
"/dummy_.*/i",
"/example_.*/i",
"/sample_.*/i",
"/__token__/",
"/contoso/i",
"/fabrikam/i",
"/\\$\\{.*\\}/",
"/\\{\\{.*\\}\\}/"
]
}
}
]
}Create .secretlintignore file:
.copilot-tracking/
.github/prompts/
.github/instructions/
**/*.md
docs/
**/test/
**/tests/
**/testdata/
**/fixtures/
**/examples/
node_modules/
dist/
build/
.terraform/
package-lock.json
*.tfstate
learning/
project-security-plans/examples/
Integrate with MegaLinter by adding to .mega-linter.yml:
# Secretlint configuration
REPOSITORY_SECRETLINT_CONFIG_FILE: .secretlintrc.json
Alternative Solutions
- Continue relying on MegaLinter defaults (more false positives)
- Use only gitleaks (already configured, but secretlint provides additional coverage)
Target Components
Implementation Ideas
- Create
.secretlintrc.json at repository root
- Create
.secretlintignore at repository root
- Add
REPOSITORY_SECRETLINT_CONFIG_FILE: .secretlintrc.json to .mega-linter.yml
- Validate with
npx secretlint "**/*"
- Ensure allowlist patterns are consistent with
.gitleaks.toml
Additional Context
| Setting |
Rationale |
| testpass, password123 |
Common test credentials |
| mock_, fake_, dummy_ |
Test fixture prefixes |
| contoso, fabrikam |
Microsoft example domains |
${...}, {{...}} |
Template variable patterns |
Existing secret detection: .gitleaks.toml is already configured. Secretlint provides complementary coverage with different detection rules.
Benefits
- Reduces false positives from test/example credentials
- Ignores documentation and learning content
- Handles template variable patterns
- Enables direct Secretlint usage outside MegaLinter
- Consistent allowlist with gitleaks patterns
Potential Challenges
- Allowlist patterns may need tuning based on false positive feedback
- Must maintain consistency with
.gitleaks.toml allowlist
- Some legitimate test fixtures may still trigger warnings
Problem Statement
Secretlint (secret detection) currently runs via MegaLinter without a dedicated configuration file. This means:
${...},{{...}}) may trigger false positivesProposed Solution
Create
.secretlintrc.jsonconfiguration file at repository root:{ "$schema": "https://raw.githubusercontent.com/secretlint/secretlint/master/packages/@secretlint/config-loader/secretlintrc.schema.json", "rules": [ { "id": "@secretlint/secretlint-rule-preset-recommend", "options": { "allows": [ "/testpass.*/i", "/password123/i", "/mock_.*/i", "/fake_.*/i", "/dummy_.*/i", "/example_.*/i", "/sample_.*/i", "/__token__/", "/contoso/i", "/fabrikam/i", "/\\$\\{.*\\}/", "/\\{\\{.*\\}\\}/" ] } } ] }Create
.secretlintignorefile:Integrate with MegaLinter by adding to
.mega-linter.yml:Alternative Solutions
Target Components
Implementation Ideas
.secretlintrc.jsonat repository root.secretlintignoreat repository rootREPOSITORY_SECRETLINT_CONFIG_FILE: .secretlintrc.jsonto.mega-linter.ymlnpx secretlint "**/*".gitleaks.tomlAdditional Context
${...},{{...}}Existing secret detection:
.gitleaks.tomlis already configured. Secretlint provides complementary coverage with different detection rules.Benefits
Potential Challenges
.gitleaks.tomlallowlist