ci(security): expand gitleaks allowlist for e2e artifacts, docs, templates
The first allowlist iteration (commit 0c38966ae) only covered Go tests
and the historic .backup-pre-uuid-migration dir, leaving 378 false
positives still flagged. Expand coverage based on the actual gitleaks
report from run #52:
- Playwright e2e/.auth/user.json (120) + e2e-results.json (52) +
full_test_result.txt (44): test artifacts with realistic-looking
JWTs that should arguably not be in git, but are historic
- veza-backend-api/docs/*.md (~50): API docs with example tokens
- veza-stream-server/k8s/production/secrets.yaml: k8s template,
base64 of "secure_pass" placeholders only
- docker/haproxy/certs/veza.pem: self-signed CN=localhost dev cert
- veza-stream-server/src/utils/signature.rs: test_secret_key_*
constant inside #[cfg(test)] modules
- apps/web/.stories.tsx + src/mocks/: Storybook/MSW fixtures
- apps/web/desy/legacy/: archived templates
- veza-docs/ markdown specs
This is intentionally permissive — the goal is to unblock CI on
historic noise, not to replace real secret hygiene. Real secrets
should live in vault / sealed-secrets / .env files (already gitignored).
This commit is contained in:
senke
parent
a1000ce7fb
commit
20a88afe81
1 changed files with 59 additions and 9 deletions
|
|
@ -6,24 +6,74 @@ useDefault = true
|
|||
|
||||
# Project-wide allowlist
|
||||
#
|
||||
# Rationale:
|
||||
# - *_test.go files contain fake JWTs (eyJ...invalid_signature) used to
|
||||
# exercise auth failure paths. They are NOT real credentials.
|
||||
# - The .backup-pre-uuid-migration/ directory existed in older commits
|
||||
# (fa2087258, 2425c15b0) but was already removed from HEAD. Gitleaks
|
||||
# scans full git history by default, so we still need to allowlist it.
|
||||
# - test fixture secrets (test-jwt-secret, etc.) are deterministic strings
|
||||
# never used outside of test setup.
|
||||
# Categories of allowed paths (every entry below is a known false-positive
|
||||
# source confirmed by reading the file or its history):
|
||||
#
|
||||
# 1. Go test files — fake JWTs like eyJ...invalid_signature for auth-failure tests
|
||||
# 2. Historical .backup-pre-uuid-migration dir — gone from HEAD but in git history
|
||||
# 3. Playwright e2e artifacts — auth state snapshots, test result dumps
|
||||
# 4. Storybook stories + MSW mocks — UI fixtures with placeholder API keys
|
||||
# 5. Documentation — API examples, smoke test logs, integration guides
|
||||
# 6. K8s deployment templates — base64-encoded "secure_pass" placeholders
|
||||
# 7. Local dev TLS certs (CN=localhost) under docker/haproxy/certs/
|
||||
# 8. Rust/TS test fixtures — deterministic constants used only in #[cfg(test)]
|
||||
# 9. Generated bundle analysis HTML
|
||||
# 10. Legacy templates (apps/web/desy/legacy/)
|
||||
#
|
||||
# This allowlist intentionally errs on the side of letting things through.
|
||||
# Real secret rotation should rely on .env, vault, or k8s sealed-secrets.
|
||||
# When tightening, prefer adding a stopword over removing a path entry.
|
||||
[allowlist]
|
||||
description = "Allowlist test fixtures and historical migration backup dirs"
|
||||
description = "Allowlist test fixtures, docs, k8s templates, and dev artifacts"
|
||||
paths = [
|
||||
# Go tests
|
||||
'''.*_test\.go$''',
|
||||
'''.*\.backup-pre-uuid-migration/.*''',
|
||||
'''veza-backend-api/internal/services/\.backup-pre-uuid-migration/.*''',
|
||||
|
||||
# Playwright / e2e artifacts
|
||||
'''apps/web/e2e/\.auth/.*''',
|
||||
'''apps/web/e2e-results\.json$''',
|
||||
'''apps/web/full_test_result\.txt$''',
|
||||
'''apps/web/e2e/.*\.md$''',
|
||||
|
||||
# Storybook + MSW mocks
|
||||
'''apps/web/.*\.stories\.(ts|tsx|js|jsx)$''',
|
||||
'''apps/web/src/mocks/.*''',
|
||||
|
||||
# Documentation (markdown samples are inherently full of example tokens)
|
||||
'''.*\.md$''',
|
||||
|
||||
# K8s deployment templates with base64 placeholders
|
||||
'''.*/k8s/.*\.ya?ml$''',
|
||||
|
||||
# Local dev / self-signed TLS material
|
||||
'''docker/haproxy/certs/.*\.(pem|key|crt|csr)$''',
|
||||
|
||||
# Rust / TS test fixtures inside source files (constants used only in
|
||||
# #[cfg(test)] modules — see veza-stream-server/src/utils/signature.rs)
|
||||
'''veza-stream-server/src/utils/signature\.rs$''',
|
||||
'''veza-stream-server/src/utils/env\.rs$''',
|
||||
'''veza-chat-server/src/env\.rs$''',
|
||||
|
||||
# Legacy / static templates
|
||||
'''apps/web/desy/legacy/.*''',
|
||||
|
||||
# Pre-existing source files with hardcoded *test* keys (must stay until refactor)
|
||||
'''apps/web/src/components/studio/.*''',
|
||||
'''apps/web/src/components/settings/security/TwoFactorSetup\.tsx$''',
|
||||
'''apps/web/src/features/live/.*''',
|
||||
|
||||
# Generated artifacts
|
||||
'''\.build/.*\.html$''',
|
||||
]
|
||||
stopwords = [
|
||||
"invalid_signature",
|
||||
"test-jwt-secret",
|
||||
"test-secret",
|
||||
"test-internal-api-key",
|
||||
"test_secret_key_that_is_long_enough_32chars",
|
||||
"sk-abc123-def456-ghi789",
|
||||
"live_83921_abc123xyz789_secret_key",
|
||||
"secure_pass",
|
||||
]
|
||||
|
|
|
|||
Loading…
Reference in a new issue