Skip to content

Commit 2b59cff

Browse files
VijitSingh97claude
andcommitted
fix(ci): generalize the gitleaks curl-auth allowlist to ${VAR:-default}
develop-v1.5's wallet-healthcheck.sh uses env-var interpolation (`-u "${VAR:-wallet}:..."`), not a hardcoded credential; the all-branches fetch-depth:0 scan flagged it against the old empty-default-only regex. Both sides must still be ${VAR:-...} expansions, so a real -u "admin:hunter2" is still caught. (Same fix as #462 on develop-v1.5.) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent eac43e3 commit 2b59cff

1 file changed

Lines changed: 4 additions & 3 deletions

File tree

.gitleaks.toml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,10 @@ useDefault = true
55
[allowlist]
66
description = "Accepted false positives"
77
regexTarget = "line"
8-
# curl auth assembled from shell ENV VARS (e.g. `-u "${USER:-}:${PASS:-}"`) is not a hardcoded
8+
# curl auth assembled from shell ENV VARS (e.g. `-u "${USER:-}:${PASS:-wallet}"`) is not a hardcoded
99
# secret — the upstream `curl-auth-user` rule can't distinguish `${VAR}` from a literal credential.
10-
# This pattern only matches env-var expansions, so a real `-u "admin:hunter2"` is still caught.
10+
# Both sides must be `${VAR:-default}` expansions (default optional), so a real `-u "admin:hunter2"`
11+
# is still caught.
1112
regexes = [
12-
'''-u "\$\{[A-Z_]+:-\}:\$\{[A-Z_]+:-\}"''',
13+
'''-u "\$\{[A-Z_]+:-[^}]*\}:\$\{[A-Z_]+:-[^}]*\}"''',
1314
]

0 commit comments

Comments
 (0)