2 files changed, 23 insertions, 0 deletions

diff --git a/users/wpcarro/ci/pipelines/post-receive.nix b/users/wpcarro/ci/pipelines/post-receive.nix
new file mode 100644
index 0000000000..09b8990e13
--- /dev/null
+++ b/users/wpcarro/ci/pipelines/post-receive.nix
@@ -0,0 +1,14 @@
+{ pkgs, depot, ... }:
+
+let
+  inherit (builtins) path toJSON;
+
+  pipeline.steps = [
+    {
+      key = "lint-secrets";
+      command = "${pkgs.git-secrets}/bin/git-secrets --scan-history";
+      label = ":broom: lint secrets";
+    }
+  ];
+in
+pkgs.writeText "pipeline.yaml" (toJSON pipeline)
diff --git a/users/wpcarro/ci/secret-patterns.txt b/users/wpcarro/ci/secret-patterns.txt
new file mode 100644
index 0000000000..cbf58a1e74
--- /dev/null
+++ b/users/wpcarro/ci/secret-patterns.txt
@@ -0,0 +1,9 @@
+(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
+("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
+("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
+AIza[0-9A-Za-z_-]{35}
+[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com
+(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{43}
+(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{64}
+ya29\.[0-9A-Za-z_-]+
+(sk|pk)_(test|live)_[a-zA-Z0-9]{99}