ivuorinen/gibidify
1
0
Fork 0
mirror of https://github.com/ivuorinen/gibidify.git synced 2026-03-19 12:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: add design document for gitleaks integration

Browse Source
This commit is contained in:
Ismo Vuorinen
2026-02-01 11:20:05 +02:00
parent be82a260c9
commit c96dcbfb82
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/plans/2026-02-01-replace-check-secrets-with-gitleaks-design.md Normal file
View File

@@ -0,0 +1,45 @@
# Replace check_secrets with gitleaks
## Problem
The `check_secrets` function in `scripts/security-scan.sh` uses hand-rolled regex
patterns that produce false positives. The pattern `key\s*[:=]\s*['"][^'"]{8,}['"]`
matches every `configKey: "backpressure.maxPendingFiles"` line in
`config/getters_test.go` (40+ matches), causing `make security-full` to fail.
The git history check (`git log --oneline -10 | grep -i "key|token"`) also matches
on benign commit messages containing words like "key" or "token".
## Decision
Replace the custom `check_secrets` function with
[gitleaks](https://github.com/gitleaks/gitleaks), a widely adopted Go-based secret
scanner with built-in rules for AWS keys, GitHub tokens, private keys, high-entropy
strings, and more.
## Approach
- **Drop-in replacement**: Only the `check_secrets` function body changes. The
function signature and return behavior (0 = clean, 1 = findings) remain identical.
- **`go run` invocation**: Use `go run github.com/gitleaks/gitleaks/v8@latest` so
the tool is fetched automatically if not cached. No changes to `install-tools.sh`.
- **Working tree scan only**: Use `gitleaks dir` to scan current files. No git
history scanning (matches current script behavior scope).
- **Config file**: A `.gitleaks.toml` at the project root extends gitleaks' built-in
rules with an allowlist to suppress known false positives in test files.
- **CI unaffected**: `.github/workflows/security.yml` runs its own inline steps
(gosec, govulncheck, checkmake, shfmt, yamllint, Trivy) and does not call
`security-scan.sh` or `check_secrets`.
## Files Changed
| File | Change |
|------|--------|
| `scripts/security-scan.sh` | Replace `check_secrets` function body |
| `.gitleaks.toml` | New file -- gitleaks configuration with allowlist |
## Verification
```bash
make security-full # should pass end-to-end
```