0c38966aed
The gitleaks job reported 389 leaks, but every match fell into one of:
- eyJ...invalid_signature fake JWTs in *_test.go (used to exercise
auth failure paths — never a real credential)
- veza-backend-api/internal/services/.backup-pre-uuid-migration/
which existed in commits 2425c15b0 / 2425c15b0 but is gone from HEAD;
gitleaks scans full git history so removing the dir would not help
- test-jwt-secret / test-internal-api-key constants in setupTestRouter
Add a .gitleaks.toml that extends the v8 default ruleset and allowlists
those paths and stopwords. Update the workflow to pass --config so the
file is honored.
29 lines
974 B
TOML
29 lines
974 B
TOML
title = "Veza gitleaks config"
|
|
|
|
# Inherit gitleaks v8 default ruleset
|
|
[extend]
|
|
useDefault = true
|
|
|
|
# Project-wide allowlist
|
|
#
|
|
# Rationale:
|
|
# - *_test.go files contain fake JWTs (eyJ...invalid_signature) used to
|
|
# exercise auth failure paths. They are NOT real credentials.
|
|
# - The .backup-pre-uuid-migration/ directory existed in older commits
|
|
# (fa2087258, 2425c15b0) but was already removed from HEAD. Gitleaks
|
|
# scans full git history by default, so we still need to allowlist it.
|
|
# - test fixture secrets (test-jwt-secret, etc.) are deterministic strings
|
|
# never used outside of test setup.
|
|
[allowlist]
|
|
description = "Allowlist test fixtures and historical migration backup dirs"
|
|
paths = [
|
|
'''.*_test\.go$''',
|
|
'''.*\.backup-pre-uuid-migration/.*''',
|
|
'''veza-backend-api/internal/services/\.backup-pre-uuid-migration/.*''',
|
|
]
|
|
stopwords = [
|
|
"invalid_signature",
|
|
"test-jwt-secret",
|
|
"test-secret",
|
|
"test-internal-api-key",
|
|
]
|