ci(gitleaks): allowlist historical false-positive commits from rewrite graft#2169
Open
harshitsinghbhandari wants to merge 1 commit into
Open
ci(gitleaks): allowlist historical false-positive commits from rewrite graft#2169harshitsinghbhandari wants to merge 1 commit into
harshitsinghbhandari wants to merge 1 commit into
Conversation
…e graft The gitleaks job scans full git history on push to main (gitleaks-action v1.6.0 runs `gitleaks --path` with no commit filter on push events). The ReverbCode rewrite graft (#2166) carried 279 commits of prior history, 10 of which trip 42 findings: example secret-patterns in security docs and secret-redaction test fixtures. All offending files are already deleted from the tree, so PRs pass (they scan only their own diff) but every push to main re-scans history and fails indefinitely. Add `.github/.gitleaks.toml` (the action's default config-path) carrying the full gitleaks v7.4.0 default ruleset plus a commit allowlist for the 10 historical commits. Detection on new code is unchanged; only these specific historical commits are skipped. Verified with gitleaks v7.4.0: full-history scan goes 42 leaks -> 0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
gitleaksjob fails on every push tomainand will keep failing indefinitely.gitleaks-action@v1.6.0(gitleaks v7.4.0) scans differently per event:The ReverbCode rewrite graft (#2166) brought 279 commits of prior history. 10 of them trip 42 findings, all false positives:
SECURITY.md,docs/DEVELOPMENT.md,docs/SECURITY-AUDIT-SUMMARY.md) describing what tokens look like (xoxb-*,-----BEGIN ... PRIVATE KEY-----, etc.).packages/core/src/activity-events.ts+ tests (secret-shaped strings used to assert the sanitizer strips them).All offending files are already deleted from the tree. That's why PRs are green (they only scan their own diff) while pushes to
mainre-scan full history and fail.Fix
Add
.github/.gitleaks.toml(the pathgitleaks-actionalready points--config-pathat) containing the full gitleaks v7.4.0 default ruleset plus acommitsallowlist for the 10 historical commits. The default rules must be included verbatim because gitleaks v7 replaces its built-in config when a config file is supplied; detection on new code is otherwise unchanged.Allowlisting by commit SHA is precise and forward-safe: the offending files are gone, so no new code is exempted.
Verification
Ran the exact CI binary (gitleaks v7.4.0) over full history:
leaks found: 42No leaks found🤖 Generated with Claude Code