ci: allowlist gitleaks false positives blocking secret scan#974
Conversation
The generic-api-key rule matches the ADR-101 section heading token wasm32-compilable (present on main, so every PR branched from current main fails the scan) and two hex test fixtures in khive-pack-git cache tests. Allowlist the three matched strings; real detection unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
An unanchored global allowlist regex is tested against the extracted secret, so a real generic-api-key value containing an allowlisted substring would be suppressed repository-wide. Exact fingerprint ignores in .gitleaksignore scope each exception to one commit, path, rule, and line. Full-history scan verified clean locally.
|
Codex review (round 2, cumulative): APPROVE at head a98a3af. Findings: 0 Blocker, 0 High, 0 Medium, 0 Low. Round 1 (APPROVE-WITH-FIXES) raised one High: the original global unanchored allowlist regexes were tested against the extracted secret, so a real generic-api-key value that happened to contain an allowlisted substring would be suppressed repository-wide. Round 2 verifies the rework: the broad allowlist is replaced by a Verified locally against full history (1584 commits, gitleaks 8.30.1): four findings without the file, zero with it, exit 0. The pinned CI |
The
generic-api-keyrule flags the ADR-101 section heading tokenwasm32-compilable(in history onmain, so every PR branched from current main fails the Secret scan check) and two hex test fixtures inkhive-pack-gitcache tests. Adds a.gitleaks.tomlextending the default config with an allowlist for the three matched strings. Verified locally:gitleaks detectgoes from 4 findings to 0 with real detection rules unchanged.🤖 Generated with Claude Code