security(ci): allowlist incident-doc paths in gitleaks + non-block dependency-review (no GHAS) by skhaitan · Pull Request #7 · Booking-brain/developer-docs

skhaitan · 2026-05-13T23:06:17Z

Summary

Option-B fix for the two CI gates that block every PR after the 2026-05-09 Shai-Hulud incident docs landed:

gitleaks (secret-scan.yml) — .gitleaks.toml allowlist did not cover the repo-root SECURITY-INCIDENT-*.md / SECURITY-AUDIT-*.md / SECURITY-EXCEPTIONS*.md files, so the custom bb-malware-blockchain-loader-marker rule fired on its own documentation. Adds those paths to the existing [allowlist].paths array.
dependency-review.yml — actions/dependency-review-action errors with "Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security" because GHAS is not currently enabled on private repos and is not being purchased right now. Adds continue-on-error: true at job level so the gate is non-blocking until GHAS is enabled.

Both gates remain installed and visible in PR CI runs; they just stop self-blocking every PR.

After merge, open a no-op PR and confirm Gitleaks + Dependency Review checks are green (or "passed with errors" for dep-review)
Confirm the bb-malware-blockchain-loader-marker rule still fires on a fake commit that adds an IoC string to a non-allowlisted runtime file

🤖 Generated with Claude Code

…emove corrupted gitleaks regex

skhaitan force-pushed the security/fix-ci-gates-option-b branch 4 times, most recently from eadaf68 to ead9b51 Compare May 13, 2026 23:20

security(ci): allowlist incident-doc paths + non-block dep-review + r…

9ef74ae

…emove corrupted gitleaks regex

skhaitan force-pushed the security/fix-ci-gates-option-b branch from ead9b51 to 9ef74ae Compare May 13, 2026 23:23

skhaitan requested a review from nitinwepro May 14, 2026 08:52

nitinwepro approved these changes May 14, 2026

View reviewed changes

skhaitan merged commit b7208e2 into main May 14, 2026
2 checks passed