czlonkowski · czlonkowski · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -0,0 +1,38 @@
+name: Secret Scan
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+# Minimal permissions: secretlint only needs to read repository contents.
+# The workflow does not comment on PRs, upload artifacts, or modify state.
+permissions:
+  contents: read
+
+jobs:
+  secretlint:
+    name: secretlint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Full history lets secretlint see any new files introduced in a PR
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Run secretlint
+        # Scan everything except what .secretlintignore excludes. The pre-commit
+        # hook only scans staged files (fast); this CI job is the authoritative
+        # check that catches anything that slipped through --no-verify.
+        run: npx secretlint --maskSecrets "**/*" "**/.*"
diff --git a/.gitignore b/.gitignore
@@ -135,8 +135,8 @@ n8n-mcp-wrapper.sh
 # Package tarballs
 *.tgz
 
-# MCP configuration files
-.mcp.json
+# MCP configuration files (all variants: .mcp.json, .mcp.json.bk, .mcp.json.bak, etc.)
+.mcp.json*
 
 # UI Apps build output
 ui-apps/dist/

diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1,34 @@
+#!/usr/bin/env sh
+# Pre-commit: block accidentally committed secrets.
+#
+# Uses secretlint against staged files only (fast). If secretlint is not
+# installed (e.g. contributor skipped `npm install`), the hook fails open
+# with a warning — CI will still run the authoritative check.
+#
+# To skip this hook locally (NOT recommended): `git commit --no-verify`.
+
+# Collect list of staged files that would be added/modified (exclude deletions)
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACMR)
+
+if [ -z "$STAGED_FILES" ]; then
+  exit 0
+fi
+
+if ! command -v npx >/dev/null 2>&1; then
+  echo "⚠️  husky/pre-commit: npx not found, skipping secret scan"
+  exit 0
+fi
+
+# Run secretlint on the staged files. --maskSecrets hides any detected values
+# from the terminal output so developers don't accidentally copy them.
+echo "$STAGED_FILES" | xargs npx --no-install secretlint --maskSecrets
+EXIT_CODE=$?
+
+if [ $EXIT_CODE -ne 0 ]; then
+  echo ""
+  echo "❌ Secret scanner blocked the commit."
+  echo "   If this is a false positive, add the file to .secretlintignore"
+  echo "   or the rule to .secretlintrc.json. To bypass (NOT recommended):"
+  echo "   git commit --no-verify"
+  exit 1
+fi
diff --git a/.secretlintignore b/.secretlintignore
@@ -0,0 +1,35 @@
+# Large build/data artifacts — no source content, no secret risk
+dist/
+data/nodes.db
+ui-apps/dist/
+node_modules/
+
+# Local environment files (already gitignored, but secretlint doesn't read
+# .gitignore). Listing here keeps local scans consistent with CI.
+.env
+.env.*
+
+# Local clones of upstream n8n-docs (already gitignored). These are upstream
+# documentation with example credentials in markdown; not our code to fix.
+n8n-docs/
+temp/
+
+# Package lock files contain integrity hashes and registry URLs that trip
+# high-entropy rules. They are machine-generated and reviewed separately.
+package-lock.json
+ui-apps/package-lock.json
+
+# Extracted/imported test fixtures (mock data, not real secrets)
+tests/extracted-nodes-db/
+tests/node-storage-export.json
+
+# Tests that deliberately contain fake tokens to exercise our own
+# credential-scanner and telemetry redaction code paths. These fixtures
+# are what proves those features work.
+tests/unit/services/credential-scanner.test.ts
+tests/unit/telemetry/telemetry-events.test.ts
+
+# Template fixtures (user workflow JSON; any embedded credentials are
+# mock data from public n8n.io templates — scanned separately by the
+# sanitize-templates script)
+data/workflow-patterns.json
diff --git a/.secretlintrc.json b/.secretlintrc.json
@@ -0,0 +1,7 @@
+{
+  "rules": [
+    {
+      "id": "@secretlint/secretlint-rule-preset-recommend"
+    }
+  ]
+}