From 66b76c2ace221d7303e6456adcd23afc7a343d66 Mon Sep 17 00:00:00 2001
From: Achilleas Koutsou <achilleas@koutsou.net>
Date: Fri, 1 Oct 2021 13:56:57 +0200
Subject: [PATCH] gitleaks: add allow list for test passwords and keys

Add a .gitleaks.toml file that lists all the test passwords and paths to
keys that should be ignored by the security scanner. This avoids false
positives so we can enable the scanner to catch actual leaks.

Closes #1747

Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
---
 .gitleaks.toml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .gitleaks.toml

diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 000000000..e7cf59541
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,10 @@
+[allowlist]
+  description = "Test keys and passwords that should not be reported as leaks"
+  regexes = [
+      '''\$6\$BhyxFBgrEFh0VrPJ\$MllG8auiU26x2pmzL4\.1maHzPHrA\.4gTdCvlATFp8HJU9UPee4zCS9BVl2HOzKaUYD\/zEm8r\/OF05F2icWB0K''',  # qcow2 test manifest user password
+      '''\\\$6\\\$GRmb7S0p8vsYmXzH\\\$o0E020S\.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ\/OkwZQfW\/76ktHd0NX5nls2LPxPuUdl\.''',  # hashed user password for ostree tests
+  ]
+  paths = [
+      '''test/data/keyring/id_rsa''',  # boot test private key
+      '''internal/crypt/crypt_test.go''',  # sample hashed passwords for testing crypt sniffer function
+  ]