Optimal AI

What “good” looks like

A strong setup ensures that potential leaks never reach main.

PR-stage scan runs on every open/update.

Merges blocked when high-risk findings exist.

Evidence in PR: file, line, pattern, reasoning, timestamp, actor.

Suggested fixes: redact, move to ENV, rotate key, or ignore safely.

Versioned summary (/audit/secrets-check.md) for compliance proof.

Minimal setup (5 steps)

1️⃣ Enable PR checks.
2️⃣ Turn on Secrets/PII rule set in your reviewer.
3️⃣ Trigger events: pull_request opened, synchronized, reopened.
4️⃣ Add a repo policy file (e.g., .optibot.yml).
5️⃣ Protect branches: require “Secrets Check” before merge.

Start read-only with comments/checks only. Then optionally enable “open fix PR” mode for bots with human approval.

Policy file (copy/paste starter)

# .optibot.yml
secrets_scan:
  enabled: true
  paths_include: ["**/*"]
  paths_exclude: ["**/*.png","**/*.jpg","dist/**","node_modules/**","vendor/**"]
  patterns_block:
    - "AWS_ACCESS_KEY_ID"
    - "AWS_SECRET_ACCESS_KEY"
    - "-----BEGIN PRIVATE KEY-----"
    - "GITHUB_TOKEN"
  pii_block:
    - "email"
    - "credit_card"
  severity_gate: "high"
  allowlist:
    files: [".env.example"]
    regexes: ["FAKE|DUMMY|PLACEHOLDER"]
fix_pr:
  enabled: false
  branch_prefix: "bot/fixes/"
  require_human_approval: true
reporting:
  mode: "checks_first"
  summary_file: "/audit/secrets-check.md"

What gets flagged (and how it’s handled)

Default actions for detected secrets and PII
Category	Examples	Default action
Secrets	API keys, tokens, private keys, cloud creds	Block merge + suggest redaction/ENV var move + rotation
PII	Email, phone, SSN/financial IDs	Block if high-risk or outside approved paths; otherwise warn
Risky paths	.env, config/*.json, settings.py	Block on real values; allow placeholder samples

The “Reasoning drawer” (evidence, not vibes)

Finding: Hard-coded token
File: config/__init__.py:87
Reason: Secret pattern (AWS_SECRET_ACCESS_KEY) matched; not allowlisted
Evidence: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Action: Suggested change → use ENV var; offered fix PR
Actor: @reviewer-bot • 2025-08-16T14:22Z
Status: Merge blocked (Secrets Check)

Rule ID + diff link = fast verification. Roll many hits into one Check; only must-fix becomes a comment.

Optional: safe “fix PR” flow

When enabled, the bot opens bot/fixes/... with:

Secret redacted → replace with ENV var.

.gitignore/path updates if needed.

Rotation checklist in PR body (owner, where, links).
Human approval required; branch protections enforce policy.

FAQ

Can we scan forks and external contributors?

Yes. Run PR-stage checks read-only on forks; keep write actions disabled.

What if we need sample creds in docs?

Allowlist dummy values via regex (e.g., FAKE|DUMMY|PLACEHOLDER) or files like .env.example.

How do we prevent false positives?

Tune exclude paths, add allowlist regex, and use deterministic rule IDs for discussion.

What about secrets already in history?

PR checks stop new leaks; for old ones, rotate and optionally clean history if policy demands.

Does this store our code?

No. Findings stay in your repo via PR comments and Checks; nothing leaves GitHub.

How do I block secrets/PII in PRs before merge?

How do I block secrets/PII in PRs before merge?

What “good” looks like

Minimal setup (5 steps)

Policy file (copy/paste starter)

What gets flagged (and how it’s handled)

What gets flagged (and how it’s handled)

The “Reasoning drawer” (evidence, not vibes)

Optional: safe “fix PR” flow

FAQ

Can we scan forks and external contributors?

What if we need sample creds in docs?

How do we prevent false positives?

What about secrets already in history?

Does this store our code?