build(security): allowlist documented hashes in forgejo-mcp.md (#77) #78

Merged
james merged 1 commit from 77-gitleaks-allowlist-forgejo-mcp into main 2026-06-17 15:02:48 +00:00
Owner

Closes #77.

Summary

gitleaks 8.30.1 flags forgejo-mcp.md line 52 under generic-api-key:

Expected SHA-256 of the key file:
`b3862b1deefa2b726ee722e0c3d5b81681ef34803d575b2a6664e7b37fd9c736`

That's the documented expected hash of the cosign public key file a contributor downloads in step 2 of the MCP setup — a verification value, not a credential. A similar pattern appears on line 69 (the image digest in the cosign-verify example) and would be flagged by future rule-pack updates if not by this version.

Fix

Narrow allowlist in .gitleaks.toml:

[[allowlists]]
description = "Verification hashes (key file SHA-256, image digest) in forgejo-mcp.md setup instructions"
condition = "AND"
paths = ['''^forgejo-mcp\.md$''']
regexes = ['''\b[a-f0-9]{64}\b''']

condition = "AND" guarantees both the path and content regex must match before suppression. A real secret in that file (OAuth client_secret, auth token, etc.) doesn't match \b[a-f0-9]{64}\b and still gets flagged.

Test plan

  • gitleaks detect --source . --no-banner --redactno leaks found (was: leaks found: 1 against forgejo-mcp.md before the change).
  • Local pre-commit lefthook hook on this branch — gitleaks step passes, commit succeeded.
  • CI secrets.yml workflow on this PR — should be green where it was failing before.
Closes #77. ## Summary gitleaks 8.30.1 flags `forgejo-mcp.md` line 52 under `generic-api-key`: ``` Expected SHA-256 of the key file: `b3862b1deefa2b726ee722e0c3d5b81681ef34803d575b2a6664e7b37fd9c736` ``` That's the documented expected hash of the cosign public key file a contributor downloads in step 2 of the MCP setup — a verification value, not a credential. A similar pattern appears on line 69 (the image digest in the cosign-verify example) and would be flagged by future rule-pack updates if not by this version. ## Fix Narrow allowlist in `.gitleaks.toml`: ```toml [[allowlists]] description = "Verification hashes (key file SHA-256, image digest) in forgejo-mcp.md setup instructions" condition = "AND" paths = ['''^forgejo-mcp\.md$'''] regexes = ['''\b[a-f0-9]{64}\b'''] ``` `condition = "AND"` guarantees both the path **and** content regex must match before suppression. A real secret in that file (OAuth `client_secret`, auth token, etc.) doesn't match `\b[a-f0-9]{64}\b` and still gets flagged. ## Test plan - [x] `gitleaks detect --source . --no-banner --redact` — `no leaks found` (was: `leaks found: 1` against forgejo-mcp.md before the change). - [x] Local pre-commit `lefthook` hook on this branch — gitleaks step passes, commit succeeded. - [ ] CI `secrets.yml` workflow on this PR — should be green where it was failing before.
build(security): allowlist documented hashes in forgejo-mcp.md (#77)
All checks were successful
Secrets / gitleaks (pull_request) Successful in 12s
PR / OSV-Scanner (pull_request) Successful in 21s
PR / npm audit (pull_request) Successful in 46s
PR / Typecheck (pull_request) Successful in 50s
PR / Lint (pull_request) Successful in 55s
PR / Static analysis (Semgrep) (pull_request) Successful in 57s
PR / Test (sqlite) (pull_request) Successful in 1m8s
PR / Test (postgres) (pull_request) Successful in 1m9s
PR / Build (pull_request) Successful in 1m15s
PR / Trivy (image) (pull_request) Successful in 1m23s
399b3e3973
gitleaks 8.30.1 flagged forgejo-mcp.md line 52 (the documented SHA-256
of the cosign public key file a contributor downloads in step 2 of the
MCP setup) under generic-api-key. A 64-hex-char literal next to the
word "key" trips the high-entropy heuristic — but these are verification
values for the contributor to compare against, not credentials.

Narrow allowlist: path matches `forgejo-mcp.md` AND content matches a
bare SHA-256 hex literal. condition="AND" guarantees both must hold,
so a real secret in that file (auth token, OAuth client_secret) does
not match the regex and still gets caught.

Closes #77.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
james merged commit a175126d98 into main 2026-06-17 15:02:48 +00:00
Sign in to join this conversation.
No description provided.