mirror of
https://github.com/ivuorinen/gibidify.git
synced 2026-02-15 07:49:59 +00:00
Ismo Vuorinen
994099137a
* fix(tests): remove unused test constants and helpers Delete dead test code that caused 41 staticcheck U1000 violations: - cli/test_constants.go (25 unused constants) - cli/terminal_test_helpers.go (unused type, method, 7 variables) - fileproc/test_constants.go (5 unused constants) - fileproc/processor_test.go (2 unused helper functions) * fix(security): replace custom secret detection with gitleaks The hand-rolled check_secrets regex patterns produced false positives on configKey test values, causing make security-full to fail. Replace with gitleaks via go run for proper secret detection with built-in rules and allowlist support for generated report files. * chore(deps): update dependencies and fix install-tools Update Go module dependencies to latest versions. Fix checkmake install path and remove yamllint go install (yamllint is a Python tool, not installable via go install). * docs: add design document for gitleaks integration * feat: update go to 1.25.6
46 lines
1.8 KiB
Markdown
46 lines
1.8 KiB
Markdown
# Replace check_secrets with gitleaks
|
|
|
|
## Problem
|
|
|
|
The `check_secrets` function in `scripts/security-scan.sh` uses hand-rolled regex
|
|
patterns that produce false positives. The pattern `key\s*[:=]\s*['"][^'"]{8,}['"]`
|
|
matches every `configKey: "backpressure.maxPendingFiles"` line in
|
|
`config/getters_test.go` (40+ matches), causing `make security-full` to fail.
|
|
|
|
The git history check (`git log --oneline -10 | grep -i "key|token"`) also matches
|
|
on benign commit messages containing words like "key" or "token".
|
|
|
|
## Decision
|
|
|
|
Replace the custom `check_secrets` function with
|
|
[gitleaks](https://github.com/gitleaks/gitleaks), a widely adopted Go-based secret
|
|
scanner with built-in rules for AWS keys, GitHub tokens, private keys, high-entropy
|
|
strings, and more.
|
|
|
|
## Approach
|
|
|
|
- **Drop-in replacement**: Only the `check_secrets` function body changes. The
|
|
function signature and return behavior (0 = clean, 1 = findings) remain identical.
|
|
- **`go run` invocation**: Use `go run github.com/gitleaks/gitleaks/v8@latest` so
|
|
the tool is fetched automatically if not cached. No changes to `install-tools.sh`.
|
|
- **Working tree scan only**: Use `gitleaks dir` to scan current files. No git
|
|
history scanning (matches current script behavior scope).
|
|
- **Config file**: A `.gitleaks.toml` at the project root extends gitleaks' built-in
|
|
rules with an allowlist to suppress known false positives in test files.
|
|
- **CI unaffected**: `.github/workflows/security.yml` runs its own inline steps
|
|
(gosec, govulncheck, checkmake, shfmt, yamllint, Trivy) and does not call
|
|
`security-scan.sh` or `check_secrets`.
|
|
|
|
## Files Changed
|
|
|
|
| File | Change |
|
|
|------|--------|
|
|
| `scripts/security-scan.sh` | Replace `check_secrets` function body |
|
|
| `.gitleaks.toml` | New file -- gitleaks configuration with allowlist |
|
|
|
|
## Verification
|
|
|
|
```bash
|
|
make security-full # should pass end-to-end
|
|
```
|