Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs 📝: Add new rule to detect Sidekiq secret in README.md #23

Merged
Jose merged 19 commits from dev into main 2026-02-14 11:02:56 +01:00
Conversation 3 Commits 19 Files Changed 4 +8 -1
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 64aec59295 - Show all commits

9
.gitleaks.toml
View File

@@ -37,4 +37,11 @@ id = "generic-api-key-docs"
description = "Ignore placeholder secrets in README.md"
regex = "(?i)(api[_-]?key|secret|token)=\\S+"
filepath = "README.md"
gitea-actions commented 2026-02-14 10:59:06 +01:00
Review
Copy Link

[Lines 38-39] [Score: 4] The regular expression for generic API keys catches any string containing "api", "key", "secret", or "token" followed by one or more non-space characters. While this is a good starting point, it might catch too many false positives if the project uses these terms in non-sensitive contexts. Consider refining the regular expression to better match actual API keys.

[Lines 38-39] [Score: 4] The regular expression for generic API keys catches any string containing "api", "key", "secret", or "token" followed by one or more non-space characters. While this is a good starting point, it might catch too many false positives if the project uses these terms in non-sensitive contexts. Consider refining the regular expression to better match actual API keys.
entropy = 10.0 # very high threshold, placeholders won't trigger
entropy = 10.0 # very high threshold, placeholders won't trigger
gitea-actions commented 2026-02-14 10:34:05 +01:00
Outdated
Review
Copy Link

[Lines 35-40] [Score: 2] This rule is similar to the initial allowlist rule for ignoring placeholder secrets within the README.md file, but with a higher entropy threshold (10.0) to reduce false negatives. It's good to have this rule in place to prevent alerts on known placeholders and maintain proper scan results.

[Lines 35-40] [Score: 2] This rule is similar to the initial allowlist rule for ignoring placeholder secrets within the README.md file, but with a higher entropy threshold (10.0) to reduce false negatives. It's good to have this rule in place to prevent alerts on known placeholders and maintain proper scan results.
gitea-actions commented 2026-02-14 10:59:06 +01:00
Review
Copy Link

[Score: 4] The high entropy value (5.0) set for the generic API keys in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected.

[Score: 4] The high entropy value (5.0) set for the generic API keys in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected.
[[rules]]
id = "sidekiq-secret"
description = "Sidekiq Secret in README.md"
regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+"
filepath = "README.md"
gitea-actions commented 2026-02-14 10:59:06 +01:00
Review
Copy Link

[Score: 4] The high entropy value (5.0) set for Sidekiq secrets in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected.

[Score: 4] The high entropy value (5.0) set for Sidekiq secrets in README.md might overlook actual secrets. Consider reducing the entropy threshold to ensure sensitive information is detected.
entropy = 5.5
gitea-actions commented 2026-02-14 10:34:05 +01:00
Outdated
Review
Copy Link

[Lines 42-47] [Score: 2] This rule is similar to the initial detection rule for Sidekiq secrets, but it's specific to the README.md file and has a slightly lower entropy threshold (5.5) compared to the previous rule with higher entropy. It's good to have this rule in place to ensure sensitive data isn't accidentally exposed within the README.md file.

[Lines 42-47] [Score: 2] This rule is similar to the initial detection rule for Sidekiq secrets, but it's specific to the README.md file and has a slightly lower entropy threshold (5.5) compared to the previous rule with higher entropy. It's good to have this rule in place to ensure sensitive data isn't accidentally exposed within the README.md file.