-
Notifications
You must be signed in to change notification settings - Fork 720
Expand file tree
/
Copy path.gitleaks.toml
More file actions
50 lines (42 loc) · 2.26 KB
/
Copy path.gitleaks.toml
File metadata and controls
50 lines (42 loc) · 2.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Gitleaks configuration for the AGT monorepo.
#
# Extends the upstream gitleaks default ruleset and adds path-based allowlists
# for test fixtures and credential-redaction code that intentionally contain
# fake secrets, plus a narrowly scoped allowlist for the vendored Agent Control
# Specification (ACS) subtree under policy-engine/, whose example apps and SDK
# test fixtures intentionally embed deterministic, non-functional placeholder
# credentials (e.g. "ghp_secret123", "finalSecret42") to exercise
# secret-redaction and tool-gating behavior. These are not real secrets and
# never authenticate against any service.
#
# Prefer path-based rules here over .gitleaksignore fingerprints, which
# break on squash merges (new commit SHA = new fingerprint needed).
title = "AGT gitleaks config"
[extend]
useDefault = true
[allowlist]
description = "Allowlist for test fixtures, redaction patterns, and vendored ACS placeholder tokens"
paths = [
# Vendored ACS example apps and SDK/test fixtures use deliberately fake placeholder tokens
'''policy-engine/examples/.*''',
'''policy-engine/sdk/node/test/.*''',
'''policy-engine/.*/(test|tests|fixtures)/.*''',
# Credential redaction test fixtures (fake keys used to test redaction)
'''agent-governance-python/agent-discovery/tests/test_process_redaction\.py''',
'''agent-governance-python/agent-os/tests/test_credential_redactor\.py''',
'''agent-governance-dotnet/tests/AgentGovernance\.Tests/McpCredentialRedactorTests\.cs''',
# Credential redactor source (contains regex patterns that match secret formats)
'''agent-governance-rust/agentmesh-mcp/src/mcp/redactor\.rs''',
# MCP proxy audit tests (fake tokens in test data)
'''agent-governance-python/agent-mesh/packages/mcp-proxy/tests/.*\.test\.ts''',
# Security scanner tests (intentional fake credentials)
'''agent-governance-python/agent-compliance/tests/test_security_scanner\.py''',
# Policy template test fixtures (deterministic fake credentials for policy evaluation)
'''examples/policy-templates/fixtures/.*''',
# AgentMesh integration test suites (fake tokens, JWTs in test data)
'''agent-governance-python/agentmesh-integrations/.*/tests/.*''',
]
regexes = [
'''ghp_secret123''',
'''finalSecret42''',
]