From ce62a233cd27c535e35192dd681681898ec9a0d0 Mon Sep 17 00:00:00 2001 From: Alex Kroman Date: Fri, 12 Jun 2026 09:23:14 -0700 Subject: [PATCH] gitleaks: allowlist a generic-api-key false positive under newer versions gitleaks >= 8.30's generic-api-key rule is keyword-greedy: `max_tokens` contains "token", so it reads `opts.max_tokens, interval=opts.llm_interval` in aai_cli/stream_exec.py as a key=value pair and flags the "value", which holds no literal secret. CI pins an older gitleaks (scripts/gate_tool_pins.sh, v8.21.2) that doesn't match it, so the local gate fails for anyone on a newer gitleaks while CI stays green. Allowlist the exact expression so the secret-scan gate passes under both the pinned version and newer gitleaks. Tightly scoped to this expression -- every other real-looking token still fails the gate. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitleaks.toml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.gitleaks.toml b/.gitleaks.toml index d1da48c9..88535529 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -20,6 +20,13 @@ regexes = [ # committing it is deliberate (the Supabase-CLI model). Only this exact value is # allowlisted -- any other real-looking token still fails the gate. '''pub0d633113b9f7d22faff215fefaf30b43''', + # Not a secret: pure attribute access in aai_cli/stream_exec.py. gitleaks >= 8.30's + # generic-api-key rule is keyword-greedy -- `max_tokens` contains "token", so it reads + # `opts.max_tokens, interval=opts.llm_interval` as a key=value pair and flags the + # "value" (`interval=opts.llm_interval`), which holds no literal. The pinned gitleaks + # (scripts/gate_tool_pins.sh) doesn't match it, but allowlist the exact expression so + # the gate also passes under newer gitleaks run locally or after a pin bump. + '''interval=opts\.llm_interval''', ] # `gitleaks dir` scans the working tree regardless of .gitignore, so high-entropy values # in a developer's gitignored `.claude/settings.local.json` (a personal Claude Code file