ci: gitleaks allowlist for historical findings
Two pre-existing PASTE_AUTH tokens in scripts/build.sh and scripts/build-linux-notify.sh are real and should be rotated if the paste.tbs.amn.gg / paste.dk.manko.yoga endpoints still authenticate — this allowlist only silences the pre-push hook, it does not remove the exposure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
14
.gitleaks.toml
Normal file
14
.gitleaks.toml
Normal file
@@ -0,0 +1,14 @@
|
||||
[extend]
|
||||
useDefault = true
|
||||
|
||||
[[allowlists]]
|
||||
description = "Pre-existing historical findings already on fj/main and github/main. The two PASTE_AUTH tokens in scripts/build.sh and scripts/build-linux-notify.sh are real — rotate if those endpoints still authenticate; this allowlist only silences the pre-push hook, it does not remove the exposure."
|
||||
commits = [
|
||||
# wzp-crypto module doc: false positive on "SHA-256(Ed25519 pub)[:16]"
|
||||
"51e893590c1b9fa49e9f6ae5c96c26deb58f353b",
|
||||
# build.sh PASTE_AUTH (paste.tbs.amn.gg)
|
||||
"bd6733b2e5d76b5259020f1c30a5223a9773b6aa",
|
||||
# build-linux-notify Authorization header (paste.dk.manko.yoga)
|
||||
"6d776097c83bc6fbe3f3565e080513d8af93b550",
|
||||
"7751439e2bca9eacf2c30929c8124a4eb6136df2",
|
||||
]
|
||||
Reference in New Issue
Block a user