03c2bd52eb
Suppress false positives so `gitleaks detect` is clean: - third_party/* (cargokit ships a public binary-verification key) - workspace_management_unit_test.dart (obfuscated "token" fixture) - gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair) Real leaked secrets are purged from history, not allowlisted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
27 lines
1.0 KiB
TOML
27 lines
1.0 KiB
TOML
# gitleaks config for xworkmate-app
|
|
# Keeps all default rules, and allowlists known non-secret findings:
|
|
# - vendored third-party code (cargokit ships a *public* verification key)
|
|
# - unit-test fixtures (hardcoded "device-1" / "token" test vectors)
|
|
# Real leaked credentials are NOT allowlisted here — they are purged from
|
|
# history and rotated.
|
|
|
|
title = "xworkmate-app gitleaks config"
|
|
|
|
[extend]
|
|
useDefault = true
|
|
|
|
[allowlist]
|
|
description = "Vendored third-party code and unit-test fixtures (no real secrets)"
|
|
paths = [
|
|
# cargokit (super_native_extensions) ships a public binary-verification key
|
|
'''third_party/.*''',
|
|
# Dart unit-test fixtures: obfuscated "token" / fake TF password assertions
|
|
'''test/features/workspace_management/workspace_management_unit_test\.dart''',
|
|
# Go unit-test fixtures: hardcoded "device-1" identity key pair
|
|
'''go/go_core/internal/gatewayruntime/runtime_test\.go''',
|
|
]
|
|
regexes = [
|
|
# cargokit public key value, in case it is referenced outside third_party/
|
|
'''test-public-key-hex''',
|
|
]
|