gitleaks false positive on documented hash in forgejo-mcp.md #77
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#77
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
gitleaks 8.30.1 flags
forgejo-mcp.mdline 52 undergeneric-api-key:That's the documented expected hash of the cosign public key file a contributor downloads in step 2 of the MCP setup — a verification value, not a credential. gitleaks'
generic-api-keyheuristic hits on the 64-hex-char literal near the word "key".A similar pattern appears on line 69 (the image digest
sha256:5223…3786in the cosign-verify example) — same shape, same risk of being flagged on a future rule-pack update even if today's version misses it.Scope
.gitleaks.toml:pathsto^forgejo-mcp\.md$so we don't blanket-exempt the rest of the repo.regexesto\b[a-f0-9]{64}\bso a real secret in that file (auth token, OAuth client_secret, etc.) would still be caught.condition = "AND"so both conditions must match before suppression..gitleaks.toml's comment template.Acceptance criteria
gitleaks detect --source . --no-gitreports 0 findings against tracked files. The.next/cache hits aren't tracked and don't matter for the CI scan..gitleaks.tomlallowlist block has the required description comment per existing convention.Part of epic #2.
forgejo-mcp.mdentirely #86