From a69cdd1fb7ceac6d6e19d361ffb948262e63e29c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Sat, 19 Oct 2024 02:44:23 +0200 Subject: [PATCH 1/3] Gitleaks 8.19 deprecated some commands I've used - the `detect` command replaced with the `git` command - `--no-git` replaced with the `directory` command https://github.com/gitleaks/gitleaks/releases/tag/v8.19.0 --- .gitleaks.toml | 2 +- app/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index 0c1bd3823..3dd640398 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -44,7 +44,7 @@ keywords = [ [allowlist] paths = [ '''js/openpgp\.min\.js''', - # Paths otherwise .gitignored should be listed here if you want to run with --no-git + # Paths otherwise .gitignored should be listed here if you want to use `gitleaks directory` '''i/build/''', '''site/temp/cache/''', ] diff --git a/app/Makefile b/app/Makefile index 1ddec111c..30a66f569 100644 --- a/app/Makefile +++ b/app/Makefile @@ -61,7 +61,7 @@ tester-include-skipped: $(MAKE) tester gitleaks: - gitleaks detect --verbose --source $(realpath ..) + gitleaks git --verbose $(realpath ..) composer-dependency-analyser: vendor/bin/composer-dependency-analyser --verbose From 1b20a732b598a45b40a1cf47bbd0cdf37cbe52d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Sat, 19 Oct 2024 03:09:08 +0200 Subject: [PATCH 2/3] Allow secrets in vendor dir as they're not really secrets They're examples, or cache keys. Also using the "old" site dir because the wannabe-leaky commits were done in that dir. --- .gitleaks.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitleaks.toml b/.gitleaks.toml index 3dd640398..a7ee7974c 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -44,6 +44,7 @@ keywords = [ [allowlist] paths = [ '''js/openpgp\.min\.js''', + '''site/vendor/''', # Paths otherwise .gitignored should be listed here if you want to use `gitleaks directory` '''i/build/''', '''site/temp/cache/''', From 6d0434b4401bceda9a18f961250d8c3b246c5c51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Sat, 19 Oct 2024 03:13:27 +0200 Subject: [PATCH 3/3] Update the hash for the ignored config.neon secret Possibly because of some fixes in 8.21 but it has started when 8.20.1 was released and used by the Gitleaks action, so no idea really https://github.com/gitleaks/gitleaks/releases/tag/v8.21.0 https://github.com/gitleaks/gitleaks/releases/tag/v8.20.1 --- .gitleaksignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitleaksignore b/.gitleaksignore index ea617050b..1a5f14d88 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -4,7 +4,7 @@ 4eea8b8b4a748558fc9d148e870c046e70f02e93:site/app/config/config.local.template.neon:generic-api-key-extra-keywords:71 4eea8b8b4a748558fc9d148e870c046e70f02e93:site/app/config/config.local.template.neon:generic-api-key-extra-keywords:73 8e2f5d8924f633825fdd9e83431ac83166fb2ba4:site/app/config/config.local.template.neon:generic-api-key-extra-keywords:80 -bcedeb91aedc5501ee37ef6e71e0abe5ec5f8622:app/config/config.neon:generic-api-key-extra-keywords:37 +e8ee56be1f7af3c54ecc5aff2e5b525151dcd847:app/config/config.neon:generic-api-key-extra-keywords:37 0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:michalspacek.cz-encryption-keys:52 0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:generic-api-key-extra-keywords:52 0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:michalspacek.cz-encryption-keys:54