From e99e020914807584cc5af4c45666005eb420940f Mon Sep 17 00:00:00 2001 From: bobturneruk Date: Wed, 15 Apr 2026 14:38:11 +0000 Subject: [PATCH 1/5] ci: gitleaks --- .github/workflows/gitleaks.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/gitleaks.yaml diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml new file mode 100644 index 0000000..209a422 --- /dev/null +++ b/.github/workflows/gitleaks.yaml @@ -0,0 +1,20 @@ +on: + pull_request: + branches: + - develop + - main + push: + tags: + - '*.*.*' + - '*.*.*-rc*' + +jobs: + gitleaks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check for GitLeaks + uses: gacts/gitleaks@v1 \ No newline at end of file From 01cdcbfe56ccb6f8e6869206f907d6aa32444d2f Mon Sep 17 00:00:00 2001 From: bobturneruk Date: Wed, 15 Apr 2026 14:45:09 +0000 Subject: [PATCH 2/5] ci: skip false positives --- .gitleaks.toml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..eea7ee0 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,29 @@ +# ----------------------------------------------------------------------------- +# Gitleaks Configuration +# ----------------------------------------------------------------------------- +title = "Gitleaks Configuration" + +# Extend the built-in default ruleset so we only add repo-specific allowlists. +[extend] +useDefault = true + +# ----------------------------------------------------------------------------- +# Allowlist (False Positives) +# ----------------------------------------------------------------------------- +# Each allowlist is scoped to a single rule and a single exact file path. +# This keeps the ignore surface minimal while allowing known test fixtures and +# archived example content to pass secret scanning. + +[[allowlists]] +description = "Allow GBK translation sequence false positive for Square access token" +targetRules = ["square-access-token"] +paths = [ + '''^reference/NC_000962\.3\.gbk''', + '''^reference/NZ_CP085945\.1\.gbk''' +] + +description = "Allow GBK translation sequence false positive for alibaba access key ids" +targetRules = ["alibaba-access-key-id"] +paths = [ + '''^reference/NZ_CP085945\.1\.gbk''' +] \ No newline at end of file From ea3706e9ca378d4c4e84f7876861ed93fb9d472a Mon Sep 17 00:00:00 2001 From: bobturneruk Date: Wed, 15 Apr 2026 14:56:10 +0000 Subject: [PATCH 3/5] ci: allowlists header --- .gitleaks.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitleaks.toml b/.gitleaks.toml index eea7ee0..a447688 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -22,6 +22,7 @@ paths = [ '''^reference/NZ_CP085945\.1\.gbk''' ] +[[allowlists]] description = "Allow GBK translation sequence false positive for alibaba access key ids" targetRules = ["alibaba-access-key-id"] paths = [ From 7206e1d72077564a622b045c504eb294b7d2e1f7 Mon Sep 17 00:00:00 2001 From: bobturneruk Date: Wed, 15 Apr 2026 14:57:11 +0000 Subject: [PATCH 4/5] ci: fix ref data path --- .gitleaks.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index a447688..9099013 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -16,9 +16,9 @@ useDefault = true [[allowlists]] description = "Allow GBK translation sequence false positive for Square access token" -targetRules = ["square-access-token"] +targetRules = ["square-access-token`"] paths = [ - '''^reference/NC_000962\.3\.gbk''', + '''^grumpy/reference/NC_000962\.3\.gbk''', '''^reference/NZ_CP085945\.1\.gbk''' ] From db68c7a7f0aa34f037e1a607a9fb02e9751b104b Mon Sep 17 00:00:00 2001 From: bobturneruk Date: Wed, 15 Apr 2026 14:58:39 +0000 Subject: [PATCH 5/5] ci: backtick --- .gitleaks.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index 9099013..554f57b 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -16,7 +16,7 @@ useDefault = true [[allowlists]] description = "Allow GBK translation sequence false positive for Square access token" -targetRules = ["square-access-token`"] +targetRules = ["square-access-token"] paths = [ '''^grumpy/reference/NC_000962\.3\.gbk''', '''^reference/NZ_CP085945\.1\.gbk'''