PaystackHQ · Jocelyn-paystack · Mar 5, 2026 · Mar 5, 2026
diff --git a/.github/secret_scanning.yml b/.github/secret_scanning.yml
@@ -0,0 +1,3 @@
+paths-ignore:
+  - "mocks/**"
+  - "**/*_test.go"
diff --git a/docs/memory/secret-scanning.md b/docs/memory/secret-scanning.md
@@ -0,0 +1,104 @@
+# Secret Scanning Assessment - Test Path Patterns
+
+**Repository:** secrets-init
+**Tech Stack:** Go
+**Assessment Date:** 2026-03-05
+**Branch:** security/add-secret-scanner-config
+
+## Summary
+
+This repository contains a Go-based secrets manager that retrieves secrets from AWS Secrets Manager, AWS SSM Parameter Store, and Google Cloud Secret Manager. The codebase is minimal with only 10 Go files total, of which 2 are test files.
+
+## Test Patterns Found
+
+The following test-related patterns were confirmed to exist in this repository:
+
+### 1. Mock Directory
+- **Pattern:** `mocks/`
+- **Location:** Root level
+- **Contents:** 3 Go files containing mock implementations of AWS and GCP Secret Manager APIs
+  - `GoogleSecretsManagerAPI.go` (1,970 bytes)
+  - `SecretsManagerAPI.go` (58,028 bytes)
+  - `SSMAPI.go` (380,835 bytes)
+- **Purpose:** Mock API implementations for testing secret retrieval functionality
+
+### 2. Go Test Files
+- **Pattern:** `**/*_test.go`
+- **Files Found:** 2 test files
+  - `pkg/secrets/google/secrets_test.go` (215 lines)
+  - `pkg/secrets/aws/secrets_test.go` (186 lines)
+- **Purpose:** Unit tests for AWS and GCP secret provider implementations
+- **Contains:** Mock credentials, test ARNs, and fixture data including:
+  - Mock AWS ARNs: `arn:aws:secretsmanager:12345678`, `arn:aws:ssm:us-east-1:12345678:parameter/secrets/test-secret`
+  - Mock GCP project paths: `projects/test-project-id/secrets/test-secret`
+  - Test secret values: `test-secret-value`, `test-secret-value-1`, `test-secret-value-2`
+
+## Patterns Not Found
+
+The following common test patterns were **NOT** found in this repository:
+
+- No `test/`, `tests/`, `__tests__/`, `spec/`, `specs/` directories
+- No `e2e/`, `cypress/`, `playwright/` directories
+- No `fixtures/`, `__fixtures__/`, `__mocks__/`, `stubs/` directories
+- No `testdata/`, `test-data/`, `seed/`, `seeds/`, `factories/` directories
+- No JavaScript/TypeScript test files (`*.test.js`, `*.test.ts`, `*.spec.js`, `*.spec.ts`)
+- No Python test files (`*.test.py`, `*_test.py`)
+- No Ruby test files (`*.spec.rb`, `*_spec.rb`)
+- No mobile/Android test paths (`src/test/**`, `src/androidTest/**`)
+
+## Potential False Positive Risks
+
+No directories or files were found that could be accidentally excluded by loose pattern matching (e.g., directories named "protest", "contest", "testament", etc.).
+
+## Recommended Secret Scanning Configuration
+
+Based on this assessment, the following paths should be excluded from GitHub secret scanning:
+
+1. **`mocks/`** - Contains mock API implementations used for testing
+2. **`**/*_test.go`** - Go test files containing test fixtures and mock credentials
+
+## Notes
+
+- Total Go files: 10
+- Total test files: 2 (20% of codebase)
+- The repository follows standard Go testing conventions
+- All test data uses clearly fake values (e.g., "test-secret-value", "12345678")
+- No configuration files (jest.config, vitest.config, etc.) exist - this is a pure Go project
+- No .env files of any kind were found in the repository
+
+## Implementation Complete ✅
+
+**Date:** 2026-03-05
+**File Created:** `.github/secret_scanning.yml`
+
+### Final Patterns Applied
+
+The following 2 patterns were added to the secret scanning configuration:
+
+1. **`mocks/**`**
+   - **Justification:** Literal directory name at root level containing only mock API implementations
+   - **Scope:** Tightly scoped to the single `mocks/` directory, no wildcards in directory name
+   - **Risk Assessment:** Zero false positive risk - no other directories match this pattern
+
+2. **`**/*_test.go`**
+   - **Justification:** Standard Go test file suffix convention (files ending in `_test.go`)
+   - **Scope:** Specific file suffix pattern, not a broad file type pattern
+   - **Risk Assessment:** Only matches Go test files, cannot accidentally match production code
+   - **Coverage:** Excludes both confirmed test files:
+     - `pkg/secrets/google/secrets_test.go`
+     - `pkg/secrets/aws/secrets_test.go`
+
+### Pattern Verification
+
+✅ All patterns anchor to literal names (no partial word matching)
+✅ No overly broad patterns like `**/*test*` or `**/*.go`
+✅ No config file exclusions (none exist in this repo)
+✅ No speculative patterns (only confirmed paths)
+✅ Total patterns: 2 (well under the 10 pattern maximum)
+
+### Security Review
+
+- All production Go files in `pkg/`, `cmd/`, and `internal/` remain fully scanned
+- All configuration files (if added in future) remain fully scanned
+- All documentation remains fully scanned
+- Only test fixtures and mock implementations are excluded