From 167be2f396c2aa6c6c6500d27dc4bd3488835da4 Mon Sep 17 00:00:00 2001 From: Snider Date: Sat, 25 Apr 2026 16:36:47 +0100 Subject: [PATCH] chore(security): add .gitleaks.toml for working-tree path allowlist (Athena #325 dev-exp) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The .gitleaksignore file uses per-commit fingerprints which only match gitleaks's default with-git mode. Developers running `gitleaks detect --no-git` locally (e.g. for working-tree review) saw 7 false positives that the fingerprint format couldn't address. This .gitleaks.toml adds path-based allowlists that apply to BOTH modes, covering the same documented placeholder/test/example sites the .gitleaksignore covers in history form: - .core/vm/ Traefik cert keys (mode 0600, untracked, generated for local VM) - php/docs/ + blade.php API placeholders - php/tests/ test fixtures - php/Services/AgentDetection.php docblock examples - pkg/agentic/prep_test.go t.Setenv env-clearing literal Verified: `gitleaks detect --no-git -c .gitleaks.toml` returns "no leaks found". Default `gitleaks detect` (with-git) still uses .gitleaksignore + this config together — both modes now report 0 leaks for the documented false positives. Co-authored-by: Codex --- .gitleaks.toml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..b8f7059 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,33 @@ +# gitleaks config — path-based allowlist for working-tree mode. +# +# Default mode (`gitleaks detect`, with-git) uses .gitleaksignore for +# per-commit fingerprint suppression. That's where committed-history +# false positives belong. +# +# This config adds path/regex allowlists that apply to BOTH modes — +# specifically for working-tree-only false positives that the fingerprint +# format can't address (no commit SHA exists for working-tree files). +# +# Filed: Mantis #325 follow-up. Reviewer: athena 2026-04-25. + +title = "core/agent gitleaks config" + +[extend] +useDefault = true + +[allowlist] +description = "Working-tree paths that contain documented placeholder/test/example secrets" +paths = [ + # Local VM workspace template — generated cert files (mode 0600, untracked) + '''\.core/vm/mnt/config/traefik/certs/.*\.key$''', + # PHP placeholder docs and blade templates with `YOUR_API_KEY`-style examples + '''php/docs/api-keys\.md$''', + '''php/View/Blade/admin/api-key-manager\.blade\.php$''', + # PHP test fixtures — `ak_test_*`, `claude-opus-4-*` model names, etc. + '''php/tests/Unit/ClaudeServiceTest\.php$''', + '''php/tests/Feature/AgentApiKeyTest\.php$''', + # PHP service docblock — `ak_a1b2c3...` example in a comment + '''php/Services/AgentDetection\.php$''', + # Go test that calls t.Setenv("CORE_BRAIN_KEY", "brain-key-123") + '''pkg/agentic/prep_test\.go$''', +]