build(security): allowlist documented hashes in forgejo-mcp.md (#77) #78
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!78
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "77-gitleaks-allowlist-forgejo-mcp"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #77.
Summary
gitleaks 8.30.1 flags
forgejo-mcp.mdline 52 undergeneric-api-key:That's the documented expected hash of the cosign public key file a contributor downloads in step 2 of the MCP setup — a verification value, not a credential. A similar pattern appears on line 69 (the image digest in the cosign-verify example) and would be flagged by future rule-pack updates if not by this version.
Fix
Narrow allowlist in
.gitleaks.toml:condition = "AND"guarantees both the path and content regex must match before suppression. A real secret in that file (OAuthclient_secret, auth token, etc.) doesn't match\b[a-f0-9]{64}\band still gets flagged.Test plan
gitleaks detect --source . --no-banner --redact—no leaks found(was:leaks found: 1against forgejo-mcp.md before the change).lefthookhook on this branch — gitleaks step passes, commit succeeded.secrets.ymlworkflow on this PR — should be green where it was failing before.