Fix secret scanning workflow to exclude f-strings with variables

James Campbell · James Campbell · commit 37acf176a271 · 2026-01-05T02:18:23.000-05:00
diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
@@ -25,7 +25,17 @@ jobs:
       run: |
         echo "Checking for common secret patterns..."
         # Check for hardcoded API keys, passwords, tokens
-        if grep -rE "(api[_-]?key|apikey|secret|password|token|auth|credential|private[_-]?key)\s*=\s*['\"][^'\"]{10,}" --include="*.py" python-examples/ | grep -v "configs.py" | grep -v "from configs import" | grep -v "os.getenv" | grep -v "input(" | grep -v "#.*example" | grep -v "yoursecretkey" | grep -v "your.*token"; then
+        # Exclude: configs.py, imports, os.getenv, input(), examples, f-strings with variables
+        if grep -rE "(api[_-]?key|apikey|secret|password|token|auth|credential|private[_-]?key)\s*=\s*['\"][^'\"]{10,}" --include="*.py" python-examples/ | \
+           grep -v "configs.py" | \
+           grep -v "from configs import" | \
+           grep -v "os.getenv" | \
+           grep -v "input(" | \
+           grep -v "#.*example" | \
+           grep -v "yoursecretkey" | \
+           grep -v "your.*token" | \
+           grep -vE "f[\"'].*\{.*(password|api|secret|token|auth|credential)" | \
+           grep -vE "['\"].*\{.*\}.*['\"]"; then
           echo "::error::Found potential hardcoded secrets in code!"
           exit 1
         fi
