chore(security): add gitleaks config allowlisting vendored/test fixtures

Suppress false positives so `gitleaks detect` is clean: - third_party/* (cargokit ships a public binary-verification key) - workspace_management_unit_test.dart (obfuscated "token" fixture) - gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair) Real leaked secrets are purged from history, not allowlisted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 09:51:52 +08:00 · 2026-06-29 09:51:52 +08:00 · 03c2bd52eb
commit 03c2bd52eb
parent 7fa9018d53
1 changed files with 26 additions and 0 deletions
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@ -0,0 +1,26 @@
+# gitleaks config for xworkmate-app
+# Keeps all default rules, and allowlists known non-secret findings:
+#   - vendored third-party code (cargokit ships a *public* verification key)
+#   - unit-test fixtures (hardcoded "device-1" / "token" test vectors)
+# Real leaked credentials are NOT allowlisted here — they are purged from
+# history and rotated.
+
+title = "xworkmate-app gitleaks config"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Vendored third-party code and unit-test fixtures (no real secrets)"
+paths = [
+  # cargokit (super_native_extensions) ships a public binary-verification key
+  '''third_party/.*''',
+  # Dart unit-test fixtures: obfuscated "token" / fake TF password assertions
+  '''test/features/workspace_management/workspace_management_unit_test\.dart''',
+  # Go unit-test fixtures: hardcoded "device-1" identity key pair
+  '''go/go_core/internal/gatewayruntime/runtime_test\.go''',
+]
+regexes = [
+  # cargokit public key value, in case it is referenced outside third_party/
+  '''test-public-key-hex''',
+]