From 03c2bd52ebc17ed54f19241923745af2cd139fc5 Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Mon, 29 Jun 2026 09:51:52 +0800 Subject: [PATCH] chore(security): add gitleaks config allowlisting vendored/test fixtures Suppress false positives so `gitleaks detect` is clean: - third_party/* (cargokit ships a public binary-verification key) - workspace_management_unit_test.dart (obfuscated "token" fixture) - gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair) Real leaked secrets are purged from history, not allowlisted. Co-Authored-By: Claude Opus 4.8 --- .gitleaks.toml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..6ede5aaa --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,26 @@ +# gitleaks config for xworkmate-app +# Keeps all default rules, and allowlists known non-secret findings: +# - vendored third-party code (cargokit ships a *public* verification key) +# - unit-test fixtures (hardcoded "device-1" / "token" test vectors) +# Real leaked credentials are NOT allowlisted here — they are purged from +# history and rotated. + +title = "xworkmate-app gitleaks config" + +[extend] +useDefault = true + +[allowlist] +description = "Vendored third-party code and unit-test fixtures (no real secrets)" +paths = [ + # cargokit (super_native_extensions) ships a public binary-verification key + '''third_party/.*''', + # Dart unit-test fixtures: obfuscated "token" / fake TF password assertions + '''test/features/workspace_management/workspace_management_unit_test\.dart''', + # Go unit-test fixtures: hardcoded "device-1" identity key pair + '''go/go_core/internal/gatewayruntime/runtime_test\.go''', +] +regexes = [ + # cargokit public key value, in case it is referenced outside third_party/ + '''test-public-key-hex''', +]