update false positive secret detection allowlist #3239
Conversation
✅ Deploy Preview for apollo-ios-docs canceled.
|
| # https://github.com/apollographql/apollo-ios/blob/474554504e7e33cef2a71774f825d5b3947ff797/Tests/ApolloCodegenTests/TestHelpers/ASTMatchers.swift#L72 | ||
| # This was previously allowlisted via commit hash, but updating that rule | ||
| # To support allowlisting false positive detections in the files below as well. | ||
| '''Tests/ApolloCodegenTests/TestHelpers/ASTMatchers.swift''', |
There was a problem hiding this comment.
@BobaFetters - this file location will need to change with the move to apollo-ios-dev right?
@peakematt - you may not know about the upcoming change to our repo structure which is going to affect these changes. You can read about the change here. It's probably still worth merging in these changes and then adjusting the secret detection once we do the merge of that change.
There was a problem hiding this comment.
Thank you! That's really good to know!
Yeah I'll get these merged in and then can make adjustments to the new repos if/when needed.
There was a problem hiding this comment.
Yea the Tests folder in its entirety is going to exist in the new apollo-ios-dev repo so will probably just need to move this there.
| '''Tests/ApolloCodegenTests/TestHelpers/ASTMatchers.swift''', | ||
|
|
||
| # Allowlist the various high-entropy strings in xcscmblueprint files | ||
| '''Apollo.xcodeproj/project.xcworkspace/xcshareddata/Apollo.xcscmblueprint$''', |
There was a problem hiding this comment.
Similarly, these files shouldn't be a problem once we merge the repo change because they no longer exist.
There was a problem hiding this comment.
Although we will instead have apollo-ios-xcframework which will still contain an xcode project file.
There was a problem hiding this comment.
Yea the xcodeproj are all gone from everywhere except the apollo-ios-xcframework repo @calvincestari mentioned so it may be the only place this is needed going forward after the repo changes are fully released.
Implements
This updates the Apollo-specific secret allowlisting file in this repo to allowlist additional false positive / benign positive detections.
This PR allowlists a series of detections across git history in various
*.xcscmblueprintfiles. From my research, all of these values are identifiers and not secret, so these detections by Gitleaks, our selected secret scanning tool were spurious. To create the allowlisting config to properly ensure that net-new detections won't be generated when these files are modified in the future, I additionally needed to update the allowlisting config for lineapollo-ios/Tests/ApolloCodegenTests/TestHelpers/ASTMatchers.swift
Line 72 in 4745545
generic-api-keysignature and swapped to file-based allowlisting.Additionally, I added a bunch of commentary at the top of the file about the purpose of the
.gitleaks.tomlfile to provide more information to contributors to this repo.I tested this by replicating our secret scanning process on this repo locally. I confirmed that no detections were generated.