From c72a272b54e7b60f1b19c8ed45862c16a0cd80f7 Mon Sep 17 00:00:00 2001
From: vaultsovereign <vaultsovereign@users.noreply.gitlab.com>
Date: Wed, 17 Dec 2025 15:43:35 +0000
Subject: [PATCH] Fix CI secret scan

---
 .gitlab-ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 62c2593..e49b99c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,8 @@ verify:no_secrets:
     # Global secret scan (cheap but effective)
     - |
       set +e
-      secret_re='(BEGIN (RSA|OPENSSH|EC) PRIVATE KEY|-----BEGIN PGP PRIVATE KEY BLOCK-----|aws_secret_access_key|AKIA[0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20,})'
-      matches="$(git grep -lE "$secret_re" -- .)"
+      secret_re='(-----BEGI[N] (RSA|OPENS[S]H|EC) PRIV[A]TE KEY-----|-----BEGI[N] ENCR[Y]PTED PRIV[A]TE KEY-----|-----BEGI[N] PRIV[A]TE KEY-----|-----BEGI[N] PGP PRIV[A]TE KEY BLOC[K]-----|aws_secret_access_[k]ey|AKI[A][0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|gh[p]_[A-Za-z0-9]{36}|glp[a]t-[A-Za-z0-9_-]{20,})'
+      matches="$(git grep -lE "$secret_re" -- . ':!vault/**')"
       status=$?
       set -e