fix(security): clear gitleaks aws-account-id findings (aws-samples#313) (aws-samples#322)

theagenticguy · web-flow · commit b05588bc2b4f · 2026-06-12T15:32:20.000Z
The custom aws-account-id rule (f57b931) flagged 25 findings on main, failing security:secrets repo-wide. Classified: 21 false positives, 1 real account ID in 3 locations. - Scrub the one real ID from the live diagram docs/diagrams/phase3-cedar-hitl.drawio, replacing it with the AWS-published placeholder 123456789012. - Allowlist the false positives in .gitleaks.toml, scoped by path: - .github/workflows/*.yml: 12-digit runs inside Action commit-SHA pins. - .threat-composer/*.json: v4 UUID final nodes that are all-digit. - cdk/test/*.test.ts: the RFC-4122 example UUID ...-446655440000. - Add .gitleaksignore baseline for the same real ID in history (commit 0dca217: two now-deleted backlog docs + the pre-scrub diagram), which cannot be removed without rewriting shared main history. mise run security:secrets now reports 0 leaks. New occurrences are still flagged; only these specific historical fingerprints are suppressed. Closes aws-samples#313
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -59,3 +59,19 @@ paths = [
 ]
 # Per-line opt-out: append `# gitleaks:allow account-id` on a legitimate line.
 stopwords = ["gitleaks:allow account-id"]
+
+[[rules.allowlists]]
+# False positives where a 12-digit run is NOT an AWS account ID:
+#  - GitHub Action commit-SHA pins contain digit runs (e.g. jdx/mise-action
+#    `…981980618f…` matches `629881980618`).
+#  - threat-composer artifacts use v4 UUIDs whose final node can be all digits
+#    (e.g. `f30d02f6-9750-46ad-b710-398303478932`).
+#  - Test fixtures use the RFC-4122 example UUID `…-446655440000`.
+# These files contain no real account IDs; scope the exemption by path.
+description = "Non-account 12-digit runs: workflow SHA pins, threat-composer UUIDs, test-fixture UUIDs."
+regexTarget = "line"
+paths = [
+    '''^\.github/workflows/.*\.ya?ml$''',
+    '''^\.threat-composer/.*\.json$''',
+    '''^cdk/test/.*\.test\.ts$''',
+]
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,9 @@
+# gitleaks baseline — historical findings that cannot be removed without
+# rewriting shared `main` history. A real AWS account ID was committed in
+# 0dca217 (two docs-backlog files + a diagram). The live diagram is scrubbed to
+# a placeholder in this change; the backlog docs were already deleted from HEAD.
+# These fingerprints suppress only those past commits — any NEW occurrence is
+# still flagged. See #313.
+0dca2171f244f693ac7c649ecf376d1ce6af2b38:docs/backlog/EARLY_PROGRESS_MILESTONES.md:aws-account-id:5
+0dca2171f244f693ac7c649ecf376d1ce6af2b38:docs/backlog/CLI_COGNITO_NEW_PASSWORD_CHALLENGE.md:aws-account-id:5
+0dca2171f244f693ac7c649ecf376d1ce6af2b38:docs/diagrams/phase3-cedar-hitl.drawio:aws-account-id:28
diff --git a/docs/diagrams/phase3-cedar-hitl.drawio b/docs/diagrams/phase3-cedar-hitl.drawio
@@ -25,7 +25,7 @@
         <mxCell id="term-b" parent="1" style="rounded=1;fillColor=light-dark(#EDE7F6,#1a1530);strokeColor=#8C4FFF;strokeWidth=2;html=1;align=center;verticalAlign=middle;fontSize=10;fontFamily=Helvetica;fontColor=#8C4FFF;fontStyle=1;" value="Terminal B ⚙️&#10;(bgagent approve/deny)" vertex="1">
           <mxGeometry height="40" width="130" x="180" y="260" as="geometry" />
         </mxCell>
-        <mxCell id="cloud" parent="1" style="points=[[0,0],[0.25,0],[0.5,0],[0.75,0],[1,0],[1,0.25],[1,0.5],[1,0.75],[1,1],[0.75,1],[0.5,1],[0.25,1],[0,1],[0,0.75],[0,0.5],[0,0.25]];outlineConnect=0;gradientColor=none;html=1;whiteSpace=wrap;fontSize=14;shape=mxgraph.aws4.group;grIcon=mxgraph.aws4.group_aws_cloud;strokeColor=light-dark(#232F3E,#E0ECFB);fillColor=light-dark(#232F3E0D,#90C7FF0D);verticalAlign=top;align=left;spacingLeft=30;fontColor=#232F3E;dashed=0;container=1;pointerEvents=0;collapsible=0;fontFamily=Helvetica;fontStyle=1;" value="AWS Cloud — us-east-1 (account 169728770098)" vertex="1">
+        <mxCell id="cloud" parent="1" style="points=[[0,0],[0.25,0],[0.5,0],[0.75,0],[1,0],[1,0.25],[1,0.5],[1,0.75],[1,1],[0.75,1],[0.5,1],[0.25,1],[0,1],[0,0.75],[0,0.5],[0,0.25]];outlineConnect=0;gradientColor=none;html=1;whiteSpace=wrap;fontSize=14;shape=mxgraph.aws4.group;grIcon=mxgraph.aws4.group_aws_cloud;strokeColor=light-dark(#232F3E,#E0ECFB);fillColor=light-dark(#232F3E0D,#90C7FF0D);verticalAlign=top;align=left;spacingLeft=30;fontColor=#232F3E;dashed=0;container=1;pointerEvents=0;collapsible=0;fontFamily=Helvetica;fontStyle=1;" value="AWS Cloud — us-east-1 (account 123456789012)" vertex="1">
           <mxGeometry height="1360" width="2160" x="340" y="130" as="geometry" />
         </mxCell>
         <mxCell id="cog" parent="cloud" style="rounded=1;fillColor=light-dark(#FFEBEE,#FFEBEE);strokeColor=#DD344C;strokeWidth=1.5;html=1;verticalAlign=top;fontStyle=1;fontSize=12;fontColor=#DD344C;fontFamily=Helvetica;container=1;collapsible=0;spacingLeft=8;spacingTop=6;" value="Cognito User Pool (shared JWT issuer)" vertex="1">
