fix(api): restore green gitleaks — path-allowlist log-redactor test fixtures#103
Merged
Merged
Conversation
The re-cut/squash of the SP-5 metrics work (#101) changed the commit SHAs of the synthetic sk-*/ai_infera_* fixtures in tests/unit/test_structured_log.py, so the SHA-pinned .gitleaksignore fingerprints drifted and the full-history scan flagged them again (4 findings, all that one test file). Replace the fragile SHA-pinning with a robust path allowlist (matches the existing fixture-allowlist pattern). These are synthetic keys whose sole purpose is to exercise the log redactor — never live secrets. Verified: gitleaks detect over full history → no leaks found.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the
gitleaks (detect)CI failure onmain.The #101 re-cut/squash changed the commit SHAs of the synthetic
sk-*/ai_infera_*fixtures intests/unit/test_structured_log.py(they exist only to test the log redactor). The SHA-pinned.gitleaksignorefingerprints drifted, so the full-history scan re-flagged them — 4 findings, all that one test file, all synthetic.Fix: replace the fragile SHA-pinning with a path allowlist in
.gitleaks.toml(same pattern as the existing fixture allowlist entries). Robust across future rebases.Verified locally:
gitleaks detectover full history → no leaks found.Note
Low Risk
CI-only secret-scan configuration for a known unit-test file; no runtime auth, data, or application logic changes.
Overview
Restores green
gitleaks (detect)onmainby allowlistingtests/unit/test_structured_log.pyin.gitleaks.tomlinstead of relying on SHA-pinned.gitleaksignoreentries.That unit file intentionally holds synthetic
sk-*/ai_infera_*strings to exercise the log redactor; after the #101 squash/rebase, commit SHAs moved and the old fingerprints no longer matched, so full-history scan reported four findings in that file only.The new path rule follows the same tight pattern as existing test/fixture allowlist entries (comment notes AIN-289).
Reviewed by Cursor Bugbot for commit cd2bafd. Bugbot is set up for automated code reviews on this repo. Configure here.