Skip to content

Revert "chore: allowlist public Hardhat example key for gitleaks"#3

Open
up2itnow0822 wants to merge 1 commit into
mainfrom
revert-2-fix/gitleaks-hardhat-doc-fp
Open

Revert "chore: allowlist public Hardhat example key for gitleaks"#3
up2itnow0822 wants to merge 1 commit into
mainfrom
revert-2-fix/gitleaks-hardhat-doc-fp

Conversation

@up2itnow0822

@up2itnow0822 up2itnow0822 commented May 26, 2026

Copy link
Copy Markdown
Owner

Reverts #2

Greptile Summary

This PR reverts the gitleaks allowlist configuration added in PR #2, deleting .gitleaks.toml entirely. The revert is justified because the original allowlists referenced the wrong path prefix (a0-skills/) instead of the correct skills/ prefix, making them ineffective — but no corrected replacement is included.

  • The Hardhat example key (ac0974bec...) still appears in skills/azpowers-wallet/SKILL.md (lines 65, 125) and skills/azpowers-native/SKILL.md (lines 210, 239), so gitleaks will continue to fire false-positive alerts without a corrected config.
  • A follow-up PR adding a new .gitleaks.toml with the path patterns fixed to ^skills/azpowers-wallet/SKILL\.md$ and ^skills/azpowers-native/SKILL\.md$ is needed to close the loop.

Confidence Score: 3/5

Merging leaves the repo without any gitleaks configuration, so the Hardhat false-positive key in two documentation files will continue to trip CI scans.

The revert correctly removes a broken config (wrong path prefix a0-skills/ vs skills/), but deleting the file without a corrected replacement means gitleaks false-positive alerts on the Hardhat example key will persist.

skills/azpowers-wallet/SKILL.md and skills/azpowers-native/SKILL.md contain the Hardhat example key that will trigger false-positive gitleaks alerts once this config is removed.

Important Files Changed

Filename Overview
.gitleaks.toml Entire gitleaks config deleted; allowlists for the Hardhat example key are gone, so CI will flag false positives in skills/azpowers-wallet/SKILL.md and skills/azpowers-native/SKILL.md. The original allowlists also had incorrect path prefixes (a0-skills/ vs skills/), which is why this is being reverted, but no replacement config is provided.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[gitleaks scan triggered] --> B{.gitleaks.toml present?}
    B -- "Yes (PR #2, now reverted)" --> C{Path match?\na0-skills/ vs skills/}
    C -- "No match\n(wrong prefix)" --> D[Allowlist not applied\nFalse positive flagged]
    C -- "Match" --> E[Key allowed\nScan passes]
    B -- "No (after this revert)" --> F[Default config used]
    F --> G[Hardhat key in skills/azpowers-wallet/SKILL.md\nand skills/azpowers-native/SKILL.md]
    G --> H[False positive flagged\nCI may fail]
    style D fill:#f99,stroke:#c00
    style H fill:#f99,stroke:#c00
    style E fill:#9f9,stroke:#090
Loading

Comments Outside Diff (2)

  1. .gitleaks.toml

    P1 Broken allowlist paths — revert has no practical effect on scanning

    The deleted allowlist targeted a0-skills/azpowers-wallet/SKILL.md and a0-skills/azpowers-native/SKILL.md, but the actual files live under skills/ (no a0- prefix). Because the path regexes never matched, gitleaks was already scanning those files with default rules before this revert. The Hardhat sample key (ac0974...) is confirmed present in both skills/azpowers-wallet/SKILL.md and skills/azpowers-native/SKILL.md, and the security.yml CI job runs gitleaks-action@v2 on every push and PR. Removing the config entirely causes gitleaks to fall back to built-in defaults, which may flag the generic-api-key rule for those files and break CI. If a corrected config is re-added, the paths should use ^skills/azpowers-wallet/SKILL\.md$ and ^skills/azpowers-native/SKILL\.md$.

    Fix in Codex Fix in Cursor

  2. .gitleaks.toml

    P1 False-positive gitleaks failures will recur after this revert

    Deleting .gitleaks.toml without a replacement means gitleaks will scan the repository with its built-in defaults and flag the Hardhat example key at skills/azpowers-wallet/SKILL.md (lines 65, 125) and skills/azpowers-native/SKILL.md (lines 210, 239) as real secrets. This is the exact problem the deleted file was meant to solve.

    Worth noting: the deleted allowlists were already broken because their paths patterns referenced a0-skills/azpowers-wallet/SKILL.md and a0-skills/azpowers-native/SKILL.md, while the actual files live under skills/ — so gitleaks was still firing even with the config in place. The correct follow-up is a new .gitleaks.toml with the paths corrected to ^skills/azpowers-wallet/SKILL\.md$ and ^skills/azpowers-native/SKILL\.md$.

    Fix in Codex Fix in Cursor

Fix All in Codex Fix All in Cursor

Reviews (2): Last reviewed commit: "Revert "chore: allowlist public Hardhat ..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant