Skip to content

Extend default gitleaks rules for Hardhat allowlist#5

Open
up2itnow0822 wants to merge 1 commit into
codex/fix-gitleaks-configuration-issuefrom
codex/fix-gitleaks.toml-to-extend-default-rules
Open

Extend default gitleaks rules for Hardhat allowlist#5
up2itnow0822 wants to merge 1 commit into
codex/fix-gitleaks-configuration-issuefrom
codex/fix-gitleaks.toml-to-extend-default-rules

Conversation

@up2itnow0822

@up2itnow0822 up2itnow0822 commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Ensure the repository keeps gitleaks’ built-in secret-detection rules enabled because a standalone [allowlist] config otherwise disables defaults.
  • Keep a narrowly scoped allowlist for the Hardhat example private key so documentation examples are not flagged while not weakening scanning for other files.

Description

  • Add [extend]\nuseDefault = true at the top of .gitleaks.toml so the default gitleaks rules are applied in addition to the custom allowlist.
  • Preserve the existing allowlist that matches the Hardhat default key ac0974...ff80 and scope it to ^skills/azpowers-wallet/SKILL\.md$ and ^skills/azpowers-native/SKILL\.md$.
  • Commit the change and prepare the follow-up PR titled Extend default gitleaks rules for Hardhat allowlist.

Testing

  • Parsed .gitleaks.toml with tomllib and asserted extend.useDefault is true, which succeeded.
  • Ran pytest -q which completed successfully with 10 passed, 1 warning.
  • Attempted gitleaks detect --source . --no-git --config .gitleaks.toml but the gitleaks binary is not installed in this environment so the scan could not be executed.

Codex Task

Greptile Summary

This PR fixes a critical gap in secret-scanning coverage: the existing .gitleaks.toml contained only a global [allowlist] with no [[rules]] and no [extend] block, which meant gitleaks was running against an empty ruleset and producing no findings. Adding [extend] useDefault = true loads the built-in detection rules while preserving the narrowly-scoped allowlist.

  • [extend] useDefault = true restores all built-in gitleaks detection rules that were silently absent before this change.
  • Global [allowlist] with condition = \"AND\" continues to suppress the well-known Hardhat default private key (ac0974…ff80) only when it appears in skills/azpowers-wallet/SKILL.md or skills/azpowers-native/SKILL.md, verified to be the two files that actually contain it.

Confidence Score: 5/5

Safe to merge — adds three lines that restore built-in detection rules without altering any application logic or broadening the allowlist.

The change is a targeted, minimal fix to a gitleaks configuration that was previously running with no detection rules at all. The allowlist condition remains AND-gated on both the secret regex and the specific documentation file paths, so there is no relaxation of scanning for other files or secrets. Both SKILL.md files that the allowlist covers were confirmed to contain exactly the Hardhat default key the allowlist targets.

No files require special attention.

Important Files Changed

Filename Overview
.gitleaks.toml Adds [extend] useDefault = true so default gitleaks rules are loaded alongside the existing narrowly-scoped Hardhat key allowlist; the prior config had no [[rules]] and was effectively running with zero detection coverage

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[gitleaks-action triggered] --> B[Load .gitleaks.toml]
    B --> C{extend.useDefault set?}
    C -->|true after this PR| D[Load built-in default rules]
    C -->|absent before this PR| E[Empty ruleset - no scanning]
    D --> F[Apply global allowlist with AND condition]
    F --> G{Matches regex AND path?}
    G -->|Yes| H[Suppress - Hardhat key in SKILL.md]
    G -->|No| I[Report finding]
    E --> J[Silent pass - no findings produced]
Loading

Reviews (1): Last reviewed commit: "Extend default gitleaks rules" | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant