chore(security): add gitleaks secret detection and .gitignore security baseline#493
Conversation
…y baseline Introduces gitleaks v8.30.1 for multi-layered secret scanning: - pre-commit hook via .pre-commit-config.yaml - CI job in security.yml with SHA256 checksum verification Applies .gitignore security baseline template with !extensions/*/.vscode/ negation for extension dev configs. Also hardens all 8 checkout steps with persist-credentials: false. Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [VS Code](https://code.visualstudio.com/) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one. |
🐗 Blaze's Release Review 🔥🔥🔥🔥 VERSION BUMP DETECTED! THIS IS IT! 🔥🔥🔥 ✨ PATCH VERSION BUMP in
✨ Quick patch! Nice and clean.
This review was ENTHUSIASTICALLY filed by nullvariant-blaze[bot] |
🦥 Slow's Code Review 😩...yawn... Do I really have to review this?
| Split it up... reading long files is exhausting.
This review was reluctantly filed by nullvariant-slow[bot] |
👧 Luna's Exploration Report 📦No new dependencies added. Just version bumps! Nothing to explore here... 😴
This report was curiously compiled by nullvariant-luna[bot] |
🐰 Mimi's Validation Report ✅All checks are looking good! Great job! 🎉 ⏳ Some checks are still running. I will keep watching!
This report was carefully prepared by nullvariant-mimi[bot] |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
🕊️ Ciel's Mediation ☀️*~~ gliding on a gentle breeze ~~ How serene!* 4 zoo members have reviewed this PR.
☀️ The zoo is in harmony. Everything looks peaceful from up here.
This mediation was peacefully delivered by nullvariant-ciel[bot] |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
…M header constants Gitleaks correctly detects dummy API keys in test fixtures and PEM header strings in sshAgent.ts, but these are intentional: test fixtures use fake secrets for security testing, and sshAgent.ts uses PEM headers as format detection constants (not actual keys). Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [VS Code](https://code.visualstudio.com/) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
Git history scanning triggers false positives on test fixture dummy secrets and PEM header constants across past commits. Working tree scan with .gitleaks.toml allowlist is sufficient — GitHub Secret Scanning + Push Protection already covers history. Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [VS Code](https://code.visualstudio.com/) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
Fix TOML syntax error (paths must be string array, not table array). Add allowlist for compiled output (out/), .vscode-test/, and node_modules/. Use regex alternation for src/out variants. Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [VS Code](https://code.visualstudio.com/) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
|



Summary
!extensions/*/.vscode/negation for extension dev configssecurity.ymlwithpersist-credentials: falseTest plan
npx tsc --noEmit).vscode/tracked files are still accessible after.gitignorerewrite