LotusGuild/matrix
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
78d1645f0897fff743230755c2e7f990fd2b711b
matrix/.gitleaks.toml
T
jared 78d1645f08
Lint / Shell (shellcheck) (push) Successful in 9s
Details
Lint / JS (eslint) (push) Successful in 6s
Details
Lint / Python (ruff) (push) Failing after 4s
Details
Lint / Python deps (pip-audit) (push) Successful in 1m5s
Details
Lint / Secret scan (gitleaks) (push) Failing after 5s
Details
Fix all CI jobs: ruff binary, pip-audit venv, gitleaks baseline 
- ruff: download standalone binary instead of using python3 -m ruff
  (runner image lacks the PATH entry for pip-installed bin scripts)
- pip-audit: add python3-venv to apt install (pip-audit creates a venv
  internally to resolve deps; ensurepip was missing)
- gitleaks: switch from stopwords allowlist to --baseline-path approach.
  Stopwords don't suppress findings from git history scans. The baseline
  records the 4 known-intentional webhook HMAC secrets; CI now only
  fails on findings NOT in the baseline (i.e. newly introduced secrets)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 16:36:59 -04:00

12 lines
446 B
TOML
Raw Blame History

[extend]
useDefault = true
[[allowlists]]
description = "Gitea webhook HMAC secrets in deploy/hooks-lxc*.json are intentional configuration"
stopwords = [
"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
]
Reference in New Issue View Git Blame Copy Permalink