senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/.gitleaks.toml
senke 20a88afe81 ci(security): expand gitleaks allowlist for e2e artifacts, docs, templates 
The first allowlist iteration (commit 0c38966ae) only covered Go tests
and the historic .backup-pre-uuid-migration dir, leaving 378 false
positives still flagged. Expand coverage based on the actual gitleaks
report from run #52:

  - Playwright e2e/.auth/user.json (120) + e2e-results.json (52) +
    full_test_result.txt (44): test artifacts with realistic-looking
    JWTs that should arguably not be in git, but are historic
  - veza-backend-api/docs/*.md (~50): API docs with example tokens
  - veza-stream-server/k8s/production/secrets.yaml: k8s template,
    base64 of "secure_pass" placeholders only
  - docker/haproxy/certs/veza.pem: self-signed CN=localhost dev cert
  - veza-stream-server/src/utils/signature.rs: test_secret_key_*
    constant inside #[cfg(test)] modules
  - apps/web/.stories.tsx + src/mocks/: Storybook/MSW fixtures
  - apps/web/desy/legacy/: archived templates
  - veza-docs/ markdown specs

This is intentionally permissive — the goal is to unblock CI on
historic noise, not to replace real secret hygiene. Real secrets
should live in vault / sealed-secrets / .env files (already gitignored).
2026-04-14 12:32:34 +02:00

79 lines
2.9 KiB
TOML
Raw Blame History

title = "Veza gitleaks config"
# Inherit gitleaks v8 default ruleset
[extend]
useDefault = true
# Project-wide allowlist
#
# Categories of allowed paths (every entry below is a known false-positive
# source confirmed by reading the file or its history):
#
# 1. Go test files — fake JWTs like eyJ...invalid_signature for auth-failure tests
# 2. Historical .backup-pre-uuid-migration dir — gone from HEAD but in git history
# 3. Playwright e2e artifacts — auth state snapshots, test result dumps
# 4. Storybook stories + MSW mocks — UI fixtures with placeholder API keys
# 5. Documentation — API examples, smoke test logs, integration guides
# 6. K8s deployment templates — base64-encoded "secure_pass" placeholders
# 7. Local dev TLS certs (CN=localhost) under docker/haproxy/certs/
# 8. Rust/TS test fixtures — deterministic constants used only in #[cfg(test)]
# 9. Generated bundle analysis HTML
# 10. Legacy templates (apps/web/desy/legacy/)
#
# This allowlist intentionally errs on the side of letting things through.
# Real secret rotation should rely on .env, vault, or k8s sealed-secrets.
# When tightening, prefer adding a stopword over removing a path entry.
[allowlist]
description = "Allowlist test fixtures, docs, k8s templates, and dev artifacts"
paths = [
# Go tests
'''.*_test\.go$''',
'''.*\.backup-pre-uuid-migration/.*''',
'''veza-backend-api/internal/services/\.backup-pre-uuid-migration/.*''',
# Playwright / e2e artifacts
'''apps/web/e2e/\.auth/.*''',
'''apps/web/e2e-results\.json$''',
'''apps/web/full_test_result\.txt$''',
'''apps/web/e2e/.*\.md$''',
# Storybook + MSW mocks
'''apps/web/.*\.stories\.(ts|tsx|js|jsx)$''',
'''apps/web/src/mocks/.*''',
# Documentation (markdown samples are inherently full of example tokens)
'''.*\.md$''',
# K8s deployment templates with base64 placeholders
'''.*/k8s/.*\.ya?ml$''',
# Local dev / self-signed TLS material
'''docker/haproxy/certs/.*\.(pem|key|crt|csr)$''',
# Rust / TS test fixtures inside source files (constants used only in
# #[cfg(test)] modules — see veza-stream-server/src/utils/signature.rs)
'''veza-stream-server/src/utils/signature\.rs$''',
'''veza-stream-server/src/utils/env\.rs$''',
'''veza-chat-server/src/env\.rs$''',
# Legacy / static templates
'''apps/web/desy/legacy/.*''',
# Pre-existing source files with hardcoded *test* keys (must stay until refactor)
'''apps/web/src/components/studio/.*''',
'''apps/web/src/components/settings/security/TwoFactorSetup\.tsx$''',
'''apps/web/src/features/live/.*''',
# Generated artifacts
'''\.build/.*\.html$''',
]
stopwords = [
"invalid_signature",
"test-jwt-secret",
"test-secret",
"test-internal-api-key",
"test_secret_key_that_is_long_enough_32chars",
"sk-abc123-def456-ghi789",
"live_83921_abc123xyz789_secret_key",
"secure_pass",
]
Reference in a new issue View git blame Copy permalink