From 14859817d99df801fcb24a0410f4e3193ee7e833 Mon Sep 17 00:00:00 2001 From: Sulkta Date: Thu, 28 May 2026 11:17:12 -0700 Subject: [PATCH] ci: gitleaks allowlist for gov_token_policy IDs (Cardano script hashes, not secrets). Closes #300 --- .gitleaks.toml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..3472041 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,22 @@ +# gitleaks config — aldabra +# +# Why: the gitleaks `generic-api-key` rule flags high-entropy hex strings. +# Cardano governance / policy / asset / script identifiers are 28-byte +# blake2b hashes (56 hex chars), which trip the rule even though they are +# public on-chain values — script hashes are derivable from validator +# bytecode that ships in the repo. They are NOT secrets. +# +# Add new allowlist entries here when CI catches more false-positive +# patterns. Real secrets (signing keys, mnemonics, API tokens) still +# trip the rule because their syntactic context (Bech32 prefixes, +# private_key fields, env-var names) doesn't match these regexes. + +[extend] +useDefault = true + +[allowlist] +description = "Cardano gov_token_policy / policy_id IDs are public blake2b script hashes" +regexTarget = "line" +regexes = [ + '''gov_token_policy:\s*"[a-f0-9]{56}"''', +]