Secret Detection¶
dot-man automatically detects and removes secrets before any commit.
How It Works¶
- Detection: Scans files for patterns (API keys, tokens, passwords)
- Extraction: Removes the secret value from the file
- Tokenization: Replaces with
VAULT_TOKEN_<hash> - Encryption: Encrypts the real value in the vault using Fernet
Supported Patterns¶
- AWS Access Key / Secret Key
- GitHub tokens (
ghp_,gho_,github_pat_) - Google API keys
- Private keys (RSA, SSH, PGP)
- Generic API keys, tokens, passwords
- Connection strings
- JWT tokens
Custom Patterns¶
Add custom patterns in dot-man.toml:
Vault¶
Secrets are stored in ~/.config/dot-man/vault.json:
- Encrypted with Fernet (AES-128-CBC + HMAC)
- Key at ~/.config/dot-man/.key
- Never committed to git