ci: gitleaks allowlist for gov_token_policy IDs (Cardano script hashes, not secrets). Closes #300

This commit is contained in:
Sulkta 2026-05-28 11:17:12 -07:00
parent f1874ea763
commit 14859817d9

22
.gitleaks.toml Normal file
View file

@ -0,0 +1,22 @@
# gitleaks config — aldabra
#
# Why: the gitleaks `generic-api-key` rule flags high-entropy hex strings.
# Cardano governance / policy / asset / script identifiers are 28-byte
# blake2b hashes (56 hex chars), which trip the rule even though they are
# public on-chain values — script hashes are derivable from validator
# bytecode that ships in the repo. They are NOT secrets.
#
# Add new allowlist entries here when CI catches more false-positive
# patterns. Real secrets (signing keys, mnemonics, API tokens) still
# trip the rule because their syntactic context (Bech32 prefixes,
# private_key fields, env-var names) doesn't match these regexes.
[extend]
useDefault = true
[allowlist]
description = "Cardano gov_token_policy / policy_id IDs are public blake2b script hashes"
regexTarget = "line"
regexes = [
'''gov_token_policy:\s*"[a-f0-9]{56}"''',
]