- Never commit
.dbfiles, export files (CSV, JSONL, or Parquet from scans), or.env(or other env files containing secrets). These are listed in.gitignore; keep them out of version control. - Exposed secrets detected on scanned sites and all collected data (URLs, headers) are stored and logged in full. No redaction is applied; this is a data collection tool. The security boundary is: do not commit
.dbfiles or export files (CSV/JSONL/Parquet), and protect them and config with file permissions.
config/gitleaks.tomlcontains upstream Gitleaks allowlist literals (known example/test keys). Those strings are used so that when we scan a page containing one of them, we do not report it as a finding; they are not project secrets. This path is excluded from GitHub secret scanning via.github/secret_scanning.ymlso that those allowlist entries do not generate alerts.
For full security and secret-management details (gitleaks, pre-commit, CI, environment variables), see README.md – Security & Secret Management.
- Transport trust: Page-fetch HTTP clients use strict TLS (see ADR 0003); TLS capture for observation uses a separate path in
src/tls/. - Prioritized actions and threat model: docs/SECURITY_REMEDIATION_ROADMAP.md (links to threat model, secret retention audit, and supply chain posture).