Extend default gitleaks rules for Hardhat allowlist#5
Open
up2itnow0822 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
[allowlist]config otherwise disables defaults.Description
[extend]\nuseDefault = trueat the top of.gitleaks.tomlso the default gitleaks rules are applied in addition to the custom allowlist.ac0974...ff80and scope it to^skills/azpowers-wallet/SKILL\.md$and^skills/azpowers-native/SKILL\.md$.Extend default gitleaks rules for Hardhat allowlist.Testing
.gitleaks.tomlwithtomlliband assertedextend.useDefaultistrue, which succeeded.pytest -qwhich completed successfully with10 passed, 1 warning.gitleaks detect --source . --no-git --config .gitleaks.tomlbut thegitleaksbinary is not installed in this environment so the scan could not be executed.Codex Task
Greptile Summary
This PR fixes a critical gap in secret-scanning coverage: the existing
.gitleaks.tomlcontained only a global[allowlist]with no[[rules]]and no[extend]block, which meant gitleaks was running against an empty ruleset and producing no findings. Adding[extend] useDefault = trueloads the built-in detection rules while preserving the narrowly-scoped allowlist.[extend] useDefault = truerestores all built-in gitleaks detection rules that were silently absent before this change.[allowlist]withcondition = \"AND\"continues to suppress the well-known Hardhat default private key (ac0974…ff80) only when it appears inskills/azpowers-wallet/SKILL.mdorskills/azpowers-native/SKILL.md, verified to be the two files that actually contain it.Confidence Score: 5/5
Safe to merge — adds three lines that restore built-in detection rules without altering any application logic or broadening the allowlist.
The change is a targeted, minimal fix to a gitleaks configuration that was previously running with no detection rules at all. The allowlist condition remains AND-gated on both the secret regex and the specific documentation file paths, so there is no relaxation of scanning for other files or secrets. Both SKILL.md files that the allowlist covers were confirmed to contain exactly the Hardhat default key the allowlist targets.
No files require special attention.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[gitleaks-action triggered] --> B[Load .gitleaks.toml] B --> C{extend.useDefault set?} C -->|true after this PR| D[Load built-in default rules] C -->|absent before this PR| E[Empty ruleset - no scanning] D --> F[Apply global allowlist with AND condition] F --> G{Matches regex AND path?} G -->|Yes| H[Suppress - Hardhat key in SKILL.md] G -->|No| I[Report finding] E --> J[Silent pass - no findings produced]Reviews (1): Last reviewed commit: "Extend default gitleaks rules" | Re-trigger Greptile