From 41f127a3e4bd31c36db9efd13e3ac0fdda0716ea Mon Sep 17 00:00:00 2001 From: jcrabtree Date: Mon, 18 May 2026 10:27:28 -0400 Subject: [PATCH] fix(security): replace broken gitleaks rule-as-allowlist with canonical config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous .gitleaks.toml used a [[rules]] block with tags=["allowlist"] to try to suppress false positives. That is a DETECTION rule that fires on test|fake|example|placeholder|dummy|sample anywhere in a string, causing a false-positive storm on data-testid, testing-library, :latest tags, samplerArg, etc. Gitleaks tags are metadata only — they do not silence rules. The correct suppression mechanism is `[allowlist]` (top-level) or `[[rules]].allowlist` (per-rule). This commit replaces the broken file with the canonical Magnon template approved in Project-Aethra/aethra#6. Refs: P58/P71 gitleaks rule-as-allowlist fix sweep --- .gitleaks.toml | 59 +++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 51 insertions(+), 8 deletions(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index 43457fbdcc..38cd3f1ec1 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -1,25 +1,68 @@ # Copyright (c) Magnon Compute Corporation. All rights reserved. +# +# Gitleaks configuration — extends default detection rules with a Magnon-wide +# allowlist of well-understood false-positive patterns. +# +# Why this file looks the way it does: +# * In gitleaks, `[[rules]]` blocks are DETECTION rules. The `tags` field is +# metadata only — adding `tags = ["allowlist"]` to a rule does NOT silence it. +# * The correct way to suppress false positives is `[allowlist]` (top-level) +# or `[[rules]].allowlist` (per-rule). See: +# https://github.com/gitleaks/gitleaks/blob/master/README.md#configuration +# +# This config replaces a previously broken `test-fixtures` rule (id, regex, +# tags=allowlist) that was an additive detection rule matching any string +# containing "test|fake|example|placeholder|dummy|sample". That rule produced a +# false-positive storm on `data-testid`, `testing-library`, `:latest` image +# tags, `samplerArg`, and dozens of other unrelated substrings. + title = "Magnon Gitleaks Config" [extend] useDefault = true -[[rules]] -description = "Ignore test fixtures" -id = "test-fixtures" -regex = '''(?i)(fake|example|placeholder|test|dummy|sample)''' -tags = ["allowlist"] - [allowlist] -description = "Global allowlist" +description = "Magnon estate allowlist — well-understood non-secret patterns" + +# Stop-words for confirmed false-positive substrings that fired against the +# previous broken `test-fixtures` rule. Keep this list tight; only add patterns +# after confirming the matching string carries no real secret material. regexes = [ + # Placeholder env-var and identifier prefixes/suffixes '''EXAMPLE_''', '''_PLACEHOLDER''', '''magnon\.io/''', + # Confirmed false-positive substrings from the P58 audit + '''data-testid''', + '''testing-library''', + '''samplerArg''', + '''parentbased_traceidratio''', + # Common image-tag references that look like assignments but aren't + '''(?i):(latest|staging|main|develop)\b''', + # Compound placeholders like FAKE_PASSWORD, EXAMPLE_TOKEN, DUMMY_KEY etc. + '''(?i)(fake|example|placeholder|dummy|sample|test)[-_]?(secret|password|token|key|api[-_]?key)''', + # SealedSecret stub placeholders used estate-wide + '''PLACEHOLDER_SEAL_WITH_KUBESEAL''', + '''REPLACE_WITH_KUBESEAL_OUTPUT''', + '''SEALED_SECRET_PLACEHOLDER''', ] + paths = [ - '''.gitleaks.toml''', + '''\.gitleaks\.toml''', '''testdata/''', '''fixtures/''', '''tests/''', + '''docs/''', + '''README\.md''', + '''CLAUDE\.md''', + '''\.github/workflows/''', ] + +[[rules]] +# kubeseal-produced ciphertext is base64 and looks like a high-entropy secret +# to gitleaks. It is not — the value is encrypted under the cluster's sealed-secrets +# controller public key and can only be decrypted in-cluster. +id = "sealed-secret-encrypted-data" +description = "kubeseal encryptedData ciphertext — not a raw secret" +regex = '''encryptedData:\s+\S+:\s+[A-Za-z0-9+/=]{30,}''' +allowlist.regexes = [".*"]