Add Gitleaks allowlist file (#9)

* Initial exclusion of false positive secrets * add description to .gitleaks.toml
apollographql · Apr 18, 2023 · 48cb278 · 48cb278
1 parent c8bbb0a
commit 48cb278
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,34 @@
+# This file exists primarily to influence scheduled scans that Apollo runs of all repos in Apollo-managed orgs. 
+# This is an Apollo-Internal link, but more information about these scans is available here:
+# https://apollographql.atlassian.net/wiki/spaces/SecOps/pages/81330213/Everything+Static+Application+Security+Testing#Scheduled-Scans.1
+# 
+# Apollo is using Gitleaks (https://github.com/gitleaks/gitleaks) to run these scans.
+# However, this file is not something that Gitleaks natively consumes. This file is an
+# Apollo-convention. Prior to scanning a repo, Apollo merges
+# our standard Gitleaks configuration (which is largely just the Gitleaks-default config) with
+# this file if it exists in a repo. The combined config is then used to scan a repo.
+# 
+# We did this because the natively-supported allowlisting functionality in Gitleaks didn't do everything we wanted
+# or wasn't as robust as we needed. For example, one of the allowlisting options offered by Gitleaks depends on the line number
+# on which a false positive secret exists to allowlist it. (https://github.com/gitleaks/gitleaks#gitleaksignore).
+# This creates a fairly fragile allowlisting mechanism. This file allows us to leverage the full capabilities of the Gitleaks rule syntax
+# to create allowlisting functionality.
+
+[[ rules ]]
+    id = "high-entropy-base64"
+    [ rules.allowlist ]
+        commits = [
+            "6e5da5062ffa1f976667a1a95607bf0387464f7a",
+            "51c67dc98a1f267121cbff1f1ef26722b353a41a",
+            "00ad7bcd0ea99daf9db9e90956d2de840fac8d9c",
+            "5347e263ee9515eb25be48acff61320c4f4256e4",
+            "53c79c2bd1e03d2155d0a6b96ea2a31960541ecc",
+            "95aaefe7b7f715df37ffdf99b77705ded8e62586",
+            "a13abf7340d650ddda6d13de483f72668b3b0dae",
+            "c46ec69abfcc4bef442db386a1f3a0b661dca6a9",
+            "2b9d5714678701865ac2e57d6783726eee931982",
+            "2cf7cddff7c6cfcb704c81eadce586d6060e86a4",
+            "610de0e7dbfda5cf0acb9b992525e91df25ee65c",
+            "857682a99d0a0e18943d956df62096f13745db9d",
+
+        ]