DEV Community

Cover image for Keep Your Secrets Safe
Nadine
Nadine Subscriber

Posted on

Keep Your Secrets Safe

#devchallenge #githubchallenge #cli #githubcopilot

GitHub Copilot CLI Challenge Submission

This is a submission for the GitHub Copilot CLI Challenge

What I Built

I exposed an API key in a GitHub repo that was supposed to be private. For a whole month, the key sat in git history while I worked on other things.

Solution: Prevent API keys and secrets from being accidentally committed to git. Set it up once, no need to remember.

The Problem

Most .gitignore templates only cover common variants like:

.env
.env.local

But miss production/staging variants like:

.env.production
.env.staging
.env.development

This is exactly how I accidentally exposed my API key. I thought my .gitignore was thorough, but when my project configuration was converted to env.production, it wasn't blocked—and got committed silently.

The Solution

I created a secure project template that uses:

  1. Proper .gitignore blocking - .env* catches ALL variants

    • ✔ Blocks: .env, .env.production, .env.staging, .env.development.local, and credential JSONs
    • ✔ Allows: .env.example (placeholder-only files for documentation)

  2. Local Pre-commit Hooks - Detects secrets before they're committed

    • Catches API keys, passwords, private keys, OAuth tokens
    • Runs automatically on every commit
    • Can't be bypassed accidentally

  3. Server-Side GitHub Actions - Continuous secret scanning

    • Runs on every push/PR
    • Can't be bypassed
    • Blocks merges with detected secrets

  4. One-Command Setup - make setup

    • Auto-detects Python/Node.js/Go projects
    • Prerequisites checker verifies Git, Python, Node, Go
    • Clear error messages if something's missing
    • No decision paralysis—just works

How It Works

Step 1: Create & Clone

Go to nadinev6/no-secrets and click "Use this template" button

Or use the CLI:

# Create from template (choose public or private)
gh repo create my-project --template=nadinev6/no-secrets --public --clone
cd my-project
Enter fullscreen mode Exit fullscreen mode

Then it creates a new repo in your account with all the files.

Step 2: Setup 

# Mac/Linux
make setup

# Windows (PowerShell)
.\setup.bat setup
Enter fullscreen mode Exit fullscreen mode

That's it! 🎉

Demo

Watch Demo

github/../no-secrets

The setup command:

✔ Checks for required tools (Git, Python/Node/Go)
✔ Auto-detects your project type
✔ Installs pre-commit hooks
✔ Shows a success message with next steps

Real secrets get caught even in example files, but legitimate test values are allowed!

My Experience with GitHub Copilot CLI

GitHub CLI was essential for helping me make this template reusable.

I learnt it's best to not over-engineer it.

The best template is one that:

  • Works reliably

  • Is easy to understand

  • .gitignore variants are tricky (.env.production isn't .env)

  • Local checks aren't enough (need server-side GitHub Actions)

  • Users need ONE simple command, not complex instructions

  • Auto-detection beats decision paralysis

Now I am using this template for every project. You should too.

Links & Resources

Gitleaks
Pre-commit docs
GitHub secret scanning
OWASP Secrets Management
No-secrets Project Template

Top comments (0)