ci: gitleaks allowlist for gov_token_policy IDs (Cardano script hashes, not secrets). Closes #300
This commit is contained in:
parent
f1874ea763
commit
14859817d9
1 changed files with 22 additions and 0 deletions
22
.gitleaks.toml
Normal file
22
.gitleaks.toml
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# gitleaks config — aldabra
|
||||
#
|
||||
# Why: the gitleaks `generic-api-key` rule flags high-entropy hex strings.
|
||||
# Cardano governance / policy / asset / script identifiers are 28-byte
|
||||
# blake2b hashes (56 hex chars), which trip the rule even though they are
|
||||
# public on-chain values — script hashes are derivable from validator
|
||||
# bytecode that ships in the repo. They are NOT secrets.
|
||||
#
|
||||
# Add new allowlist entries here when CI catches more false-positive
|
||||
# patterns. Real secrets (signing keys, mnemonics, API tokens) still
|
||||
# trip the rule because their syntactic context (Bech32 prefixes,
|
||||
# private_key fields, env-var names) doesn't match these regexes.
|
||||
|
||||
[extend]
|
||||
useDefault = true
|
||||
|
||||
[allowlist]
|
||||
description = "Cardano gov_token_policy / policy_id IDs are public blake2b script hashes"
|
||||
regexTarget = "line"
|
||||
regexes = [
|
||||
'''gov_token_policy:\s*"[a-f0-9]{56}"''',
|
||||
]
|
||||
Loading…
Add table
Add a link
Reference in a new issue