Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs 📝: Add new rule to detect Sidekiq secret in README.md #23

Merged
Jose merged 19 commits from dev into main 2026-02-14 11:02:56 +01:00
Conversation 3 Commits 19 Files Changed 4 +32 -1
3 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit c9a6f0e092 - Show all commits

1
.gitea/workflows/pr-check.yaml
View File

@@ -26,6 +26,7 @@ jobs:
- name: Run Gitleaks
run: |
gitleaks dir . \
--config-path .gitleaks.toml \
--redact=10 \
--verbose \
--exit-code 1

30
.gitleaks.toml Normal file
View File

@@ -0,0 +1,30 @@
title = "Gitleaks Config"
# ==========================
gitea-actions commented 2026-02-14 10:34:05 +01:00
Review
Copy Link

[Lines 1-3] [Score: 2] These lines are just a title and comments, they don't affect the logic or functionality of the code. However, it could be beneficial to include a brief description about what this configuration file does for someone who may not be familiar with Gitleaks.

[Lines 1-3] [Score: 2] These lines are just a title and comments, they don't affect the logic or functionality of the code. However, it could be beneficial to include a brief description about what this configuration file does for someone who may not be familiar with Gitleaks.
# Allowlist / False Positive Rules
# ==========================
# [[allowlist]]
# description = "Ignore placeholder secrets in README.md"
# filepath = "README.md"
gitea-actions commented 2026-02-14 10:34:05 +01:00
Review
Copy Link

[Lines 6-8] [Score: 2] This rule allows the ignoring of placeholder secrets within the README.md file, which is a common practice to help avoid false positives during scans. It's good to have this allowlist rule in place to prevent unnecessary alerts.

[Lines 6-8] [Score: 2] This rule allows the ignoring of placeholder secrets within the README.md file, which is a common practice to help avoid false positives during scans. It's good to have this allowlist rule in place to prevent unnecessary alerts.
# # Add all placeholder-like patterns that trigger false positives
# regex = "cafebabe|deadbeef|DB_PASSWORD"
[[allowlist]]
gitea-actions commented 2026-02-14 10:34:05 +01:00
Review
Copy Link

[Lines 10-12] [Score: 2] This line includes specific patterns to ignore in the README.md file, such as cafebabe and deadbeef (common byte sequences), and DB_PASSWORD (likely a placeholder). These are common best practices when setting up Gitleaks allowlists.

[Lines 10-12] [Score: 2] This line includes specific patterns to ignore in the README.md file, such as cafebabe and deadbeef (common byte sequences), and DB_PASSWORD (likely a placeholder). These are common best practices when setting up Gitleaks allowlists.
description = "Ignore badge URLs in README"
filepath = "README.md"
regex = "https://img.shields.io"
gitea-actions commented 2026-02-14 10:34:05 +01:00
Review
Copy Link

[Lines 14-16] [Score: 2] This rule allows ignoring badge URLs within the README.md file, which is a common practice to help avoid false positives during scans. It's good to have this allowlist rule in place to prevent unnecessary alerts.

[Lines 14-16] [Score: 2] This rule allows ignoring badge URLs within the README.md file, which is a common practice to help avoid false positives during scans. It's good to have this allowlist rule in place to prevent unnecessary alerts.
# ==========================
# Rules
# ==========================
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = "(?i)(api[_-]?key|secret|token)=\\S+"
gitea-actions commented 2026-02-14 10:34:05 +01:00
Outdated
Review
Copy Link

[Lines 20-23] [Score: 2] This rule is for detecting generic API keys (regex pattern provided) that may be hardcoded or leaked in the source code. It's a good practice to have rules like this in place to ensure sensitive data isn't accidentally exposed.

[Lines 20-23] [Score: 2] This rule is for detecting generic API keys (regex pattern provided) that may be hardcoded or leaked in the source code. It's a good practice to have rules like this in place to ensure sensitive data isn't accidentally exposed.
entropy = 3.5
[[rules]]
id = "sidekiq-secret"
description = "Sidekiq Secret"
regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+"
entropy = 2.5
gitea-actions commented 2026-02-14 10:34:05 +01:00
Outdated
Review
Copy Link

[Lines 26-30] [Score: 2] This rule is for detecting Sidekiq secrets (regex pattern provided) that may be hardcoded or leaked in the source code. It's a good practice to have rules like this in place to ensure sensitive data isn't accidentally exposed.

[Lines 26-30] [Score: 2] This rule is for detecting Sidekiq secrets (regex pattern provided) that may be hardcoded or leaked in the source code. It's a good practice to have rules like this in place to ensure sensitive data isn't accidentally exposed.

2
README.md
View File

@@ -26,7 +26,7 @@
| Swap handling | ✅ | ✅ | ✅ |
| Logrotate protection | ✅ | ✅ | ✅ |
| Powertop auto-tune | ✅ | ✅ | ✅ |
| API utilities | ✅ | ✅ | ✅ |
| Utilities | ✅ | ✅ | ✅ |
## 📂 Directory Structure