Add secret scanning, pre-commit guardrails, and security hardening

[Copilot]

Prevents accidental commits of secrets and internal identifiers. Adds automated scanning in CI and local developer hooks. Redacts an existing Cloudflare account ID found in docs.

Changes

Remediation

• PORKBUN-DNS.md: Replaced https://dash.cloudflare.com/<account-id> with the generic base URL — the account ID was the only concrete sensitive identifier found in the working tree

CI Secret Scanning

• .github/workflows/gitleaks.yml: Runs gitleaks/gitleaks-action@v2 on all push/PR events; fails if any leak is detected
• .gitleaks.toml: Extends the default ruleset; allowlists your_*/<PLACEHOLDER> patterns and the .env.example files to suppress expected false positives

Local Guardrails

• .pre-commit-config.yaml: Gitleaks hook (pinned to v8.21.2) — developers enable with pre-commit install

.gitignore Hardening

Added patterns for:

• Key/certificate files: *.key, *.p12, *.pfx, *_rsa, *_ed25519, etc.
• Terraform state: *.tfstate, .terraform/, terraform.tfvars
• Explicit local env overrides: .env.local, .env.production, .env.staging, etc.

Documentation

• SECURITY.md (new): Private vulnerability reporting instructions, secrets management policy (GitHub Actions Secrets / wrangler secret put), pre-commit setup guide
• README.md: Added security section summarising the policy and linking to SECURITY.md

Note on history: The Cloudflare account ID is redacted in the working tree only. If the account ID is considered sensitive, a history rewrite (git filter-repo) is recommended outside this PR.

Original prompt

Repository: aegntic/cldcde

Goal
Implement repo-wide protections so that non-public/sensitive information remains non-public. This includes preventing accidental commits of secrets or internal identifiers, and adding automated scanning in CI.

Requirements

1. Add secret scanning in CI

• Add a GitHub Actions workflow that runs on push and pull_request.
• Use gitleaks (preferred) to scan the repository for secrets.
• Fail the workflow if leaks are detected.
• Keep configuration minimal but allow a repo-local config file to tune rules/allowlists.

2. Add local developer guardrails

• Add pre-commit configuration (or equivalent) to run gitleaks (and optionally basic checks) before commits.
• Include clear setup instructions in documentation.

3. Harden ignore rules and safe templates

• Update .gitignore to ignore common secret-bearing files (.env, keys, certificates, local overrides, terraform state, etc.).
• Add .env.example (or ensure it exists) with placeholder values and guidance to never commit real secrets.

4. Documentation and policy

• Add SECURITY.md with instructions for private vulnerability reporting.
• Update README (or add a short docs page) describing how secrets should be stored (GitHub Actions Secrets, Cloudflare secrets, etc.) and that account-specific dashboard URLs / IDs should not be committed.
• Add guidance to use placeholders in docs.

5. Repo audit + remediation

• Scan the current repository contents to identify any existing non-public information (e.g., Cloudflare dashboard deep links with account IDs, tokens, API keys, private keys, internal hostnames).
• Remediate findings in the working tree by redacting/replacing with placeholders where appropriate, especially in documentation files.
• If any actual secrets are found, do NOT print them in logs or PR description; instead, redact and add guidance to rotate them.

Notes

• Do not rewrite git history in this PR. If history rewrite is needed, add a note in documentation/PR description with recommended steps.
• Ensure the changes are safe for a public repository.

Context
User flagged that PORKBUN-DNS.md currently contains a Cloudflare dashboard URL with an account identifier; review and redact such non-public identifiers across the repo.

Deliverables (likely files)

• .github/workflows/gitleaks.yml (or similar)
• .gitleaks.toml (optional)
• .pre-commit-config.yaml
• .gitignore updates
• SECURITY.md
• README updates and/or docs
• Redactions in docs as needed (including PORKBUN-DNS.md)

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	cldcde	88815e7	Mar 01 2026, 10:50 AM