From 353366f1543a0fc571bb8b20b451efb34ed5659c Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 27 Mar 2026 12:12:50 +0300 Subject: [PATCH 1/5] ignore all patches Signed-off-by: Maksim Khimchenko --- gitleaks/config/gitleaks.base.toml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml index 7e07054..60f2d3e 100644 --- a/gitleaks/config/gitleaks.base.toml +++ b/gitleaks/config/gitleaks.base.toml @@ -1,6 +1,6 @@ # Centralized Gitleaks configuration for all Deckhouse repositories # This file is distributed via modules-actions/gitleaks action -# +# # Repositories can extend this config by creating local .gitleaks.toml: # [extend] # useDefault = false @@ -20,7 +20,10 @@ paths = [ # Go dependencies - public hashes "go.mod", "go.sum", - + + # patch files + ".*/*.patch", + # Specific files with known false positives # "modules/101-cert-manager/docs/USAGE.md", # "modules/101-cert-manager/docs/USAGE_RU.md", @@ -30,10 +33,10 @@ paths = [ regexes = [ # Go module checksums - always public '''h1:[A-Za-z0-9+/=]{40,}''', - + # Public certificates (only ca.crt, NOT private keys!) '''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''', - + # AWS Example values from official documentation - exact match '''AKIAIOSFODNN7EXAMPLE''', '''wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY''', From c3a8293a1a0fd0e8af2767170f02eaa60c7864ff Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 27 Mar 2026 14:59:12 +0300 Subject: [PATCH 2/5] fix ignore patches Signed-off-by: Maksim Khimchenko --- gitleaks/config/gitleaks.base.toml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml index 60f2d3e..55a46ba 100644 --- a/gitleaks/config/gitleaks.base.toml +++ b/gitleaks/config/gitleaks.base.toml @@ -13,6 +13,8 @@ useDefault = true # Global allowlists [allowlist] +regexTarget = "line" + # === Safe files/directories === # NOTE: Use exact paths, NOT glob patterns like **/go.mod @@ -21,9 +23,6 @@ paths = [ "go.mod", "go.sum", - # patch files - ".*/*.patch", - # Specific files with known false positives # "modules/101-cert-manager/docs/USAGE.md", # "modules/101-cert-manager/docs/USAGE_RU.md", @@ -32,10 +31,10 @@ paths = [ # === Safe patterns === regexes = [ # Go module checksums - always public - '''h1:[A-Za-z0-9+/=]{40,}''', + '''.*h1:[A-Za-z0-9+/=]{40,}''', # Public certificates (only ca.crt, NOT private keys!) - '''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''', + '''ca\.crt:\s*[A-Za-z0-9+/=]+''', # AWS Example values from official documentation - exact match '''AKIAIOSFODNN7EXAMPLE''', From fe29816ec444fef88071a3010ef10cb2efa4189e Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 27 Mar 2026 15:03:25 +0300 Subject: [PATCH 3/5] remove quantity Signed-off-by: Maksim Khimchenko --- gitleaks/config/gitleaks.base.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml index 55a46ba..ead522d 100644 --- a/gitleaks/config/gitleaks.base.toml +++ b/gitleaks/config/gitleaks.base.toml @@ -31,7 +31,7 @@ paths = [ # === Safe patterns === regexes = [ # Go module checksums - always public - '''.*h1:[A-Za-z0-9+/=]{40,}''', + '''h1:[A-Za-z0-9+/=]+''', # Public certificates (only ca.crt, NOT private keys!) '''ca\.crt:\s*[A-Za-z0-9+/=]+''', From 4e234eaba5087c3ca7975b0e2885c9c202a886de Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 27 Mar 2026 15:38:16 +0300 Subject: [PATCH 4/5] return back quantity Signed-off-by: Maksim Khimchenko --- gitleaks/config/gitleaks.base.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml index ead522d..3d1e0f1 100644 --- a/gitleaks/config/gitleaks.base.toml +++ b/gitleaks/config/gitleaks.base.toml @@ -31,7 +31,7 @@ paths = [ # === Safe patterns === regexes = [ # Go module checksums - always public - '''h1:[A-Za-z0-9+/=]+''', + '''h1:[A-Za-z0-9+/=]{12,}''', # Public certificates (only ca.crt, NOT private keys!) '''ca\.crt:\s*[A-Za-z0-9+/=]+''', From 3b1e77900f634ea17a4940dde17ac2da5e2f32fa Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 27 Mar 2026 19:18:11 +0300 Subject: [PATCH 5/5] remove allow ca exceptions Signed-off-by: Maksim Khimchenko --- gitleaks/config/gitleaks.base.toml | 3 --- 1 file changed, 3 deletions(-) diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml index 3d1e0f1..865d7fd 100644 --- a/gitleaks/config/gitleaks.base.toml +++ b/gitleaks/config/gitleaks.base.toml @@ -33,9 +33,6 @@ regexes = [ # Go module checksums - always public '''h1:[A-Za-z0-9+/=]{12,}''', - # Public certificates (only ca.crt, NOT private keys!) - '''ca\.crt:\s*[A-Za-z0-9+/=]+''', - # AWS Example values from official documentation - exact match '''AKIAIOSFODNN7EXAMPLE''', '''wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY''',