ivuorinen/gibidify
1
0
Fork 0
mirror of https://github.com/ivuorinen/gibidify.git synced 2026-02-10 04:47:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9ff22c76b030daca2fd485f56c7882a5de18e51f
gibidify/docs/plans/2026-02-01-replace-check-secrets-with-gitleaks-design.md
Ismo Vuorinen 994099137a fix: security issues and use gitleaks (#163) 
* fix(tests): remove unused test constants and helpers

Delete dead test code that caused 41 staticcheck U1000 violations:
- cli/test_constants.go (25 unused constants)
- cli/terminal_test_helpers.go (unused type, method, 7 variables)
- fileproc/test_constants.go (5 unused constants)
- fileproc/processor_test.go (2 unused helper functions)

* fix(security): replace custom secret detection with gitleaks

The hand-rolled check_secrets regex patterns produced false positives
on configKey test values, causing make security-full to fail.

Replace with gitleaks via go run for proper secret detection with
built-in rules and allowlist support for generated report files.

* chore(deps): update dependencies and fix install-tools

Update Go module dependencies to latest versions.
Fix checkmake install path and remove yamllint go install
(yamllint is a Python tool, not installable via go install).

* docs: add design document for gitleaks integration

* feat: update go to 1.25.6
2026-02-01 22:09:24 +02:00

1.8 KiB
Raw Blame History

Replace check_secrets with gitleaks

Problem

The check_secrets function in scripts/security-scan.sh uses hand-rolled regex patterns that produce false positives. The pattern key\s*[:=]\s*['"][^'"]{8,}['"] matches every configKey: "backpressure.maxPendingFiles" line in config/getters_test.go (40+ matches), causing make security-full to fail.

The git history check (git log --oneline -10 | grep -i "key|token") also matches on benign commit messages containing words like "key" or "token".

Decision

Replace the custom check_secrets function with gitleaks, a widely adopted Go-based secret scanner with built-in rules for AWS keys, GitHub tokens, private keys, high-entropy strings, and more.

Approach

  • Drop-in replacement: Only the check_secrets function body changes. The function signature and return behavior (0 = clean, 1 = findings) remain identical.
  • go run invocation: Use go run github.com/gitleaks/gitleaks/v8@latest so the tool is fetched automatically if not cached. No changes to install-tools.sh.
  • Working tree scan only: Use gitleaks dir to scan current files. No git history scanning (matches current script behavior scope).
  • Config file: A .gitleaks.toml at the project root extends gitleaks' built-in rules with an allowlist to suppress known false positives in test files.
  • CI unaffected: .github/workflows/security.yml runs its own inline steps (gosec, govulncheck, checkmake, shfmt, yamllint, Trivy) and does not call security-scan.sh or check_secrets.

Files Changed

File Change
scripts/security-scan.sh Replace check_secrets function body
.gitleaks.toml New file -- gitleaks configuration with allowlist

Verification

make security-full   # should pass end-to-end