Commit Graph

1 Commits

Author SHA1 Message Date
Harshit Singh Bhandari 982cd62886
ci(gitleaks): allowlist historical false-positive commits from rewrite graft (#2169)
The gitleaks job scans full git history on push to main (gitleaks-action
v1.6.0 runs `gitleaks --path` with no commit filter on push events). The
ReverbCode rewrite graft (#2166) carried 279 commits of prior history, 10 of
which trip 42 findings: example secret-patterns in security docs and
secret-redaction test fixtures. All offending files are already deleted from
the tree, so PRs pass (they scan only their own diff) but every push to main
re-scans history and fails indefinitely.

Add `.github/.gitleaks.toml` (the action's default config-path) carrying the
full gitleaks v7.4.0 default ruleset plus a commit allowlist for the 10
historical commits. Detection on new code is unchanged; only these specific
historical commits are skipped.

Verified with gitleaks v7.4.0: full-history scan goes 42 leaks -> 0.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 23:07:35 +05:30