update false positive secret detection allowlist (#3239)

apollographql · Sep 28, 2023 · d1b3da6 · d1b3da6
1 parent 72dbf4c
commit d1b3da6
Showing 1 changed file with 28 additions and 3 deletions.
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -1,3 +1,18 @@
+# This file exists primarily to influence scheduled scans that Apollo runs of all repos in Apollo-managed orgs.
+# This is an Apollo-Internal link, but more information about these scans is available here:
+# https://apollographql.atlassian.net/wiki/spaces/SecOps/pages/81330213/Everything+Static+Application+Security+Testing#Scheduled-Scans.1
+#
+# Apollo is using Gitleaks (https://github.com/gitleaks/gitleaks) to run these scans.
+# However, this file is not something that Gitleaks natively consumes. This file is an
+# Apollo-convention. Prior to scanning a repo, Apollo merges
+# our standard Gitleaks configuration (which is largely just the Gitleaks-default config) with
+# this file if it exists in a repo. The combined config is then used to scan a repo.
+#
+# We did this because the natively-supported allowlisting functionality in Gitleaks didn't do everything we wanted
+# or wasn't as robust as we needed. For example, one of the allowlisting options offered by Gitleaks depends on the line number
+# on which a false positive secret exists to allowlist it. (https://github.com/gitleaks/gitleaks#gitleaksignore).
+# This creates a fairly fragile allowlisting mechanism. This file allows us to leverage the full capabilities of the Gitleaks rule syntax
+# to create allowlisting functionality.
 
 [[ rules ]]
     id = "high-entropy-base64"
@@ -10,7 +25,17 @@
 [[ rules ]]
     id = "generic-api-key"
     [ rules.allowlist ]
-        commits = [
-            "474554504e7e33cef2a71774f825d5b3947ff797",
-
+
+        paths = [
+            # Allowlists a false positive detection at  
+            # https://github.com/apollographql/apollo-ios/blob/474554504e7e33cef2a71774f825d5b3947ff797/Tests/ApolloCodegenTests/TestHelpers/ASTMatchers.swift#L72
+            # This was previously allowlisted via commit hash, but updating that rule
+            # To support allowlisting false positive detections in the files below as well.
+            '''Tests/ApolloCodegenTests/TestHelpers/ASTMatchers.swift''',
+
+            # Allowlist the various high-entropy strings in xcscmblueprint files
+            '''Apollo.xcodeproj/project.xcworkspace/xcshareddata/Apollo.xcscmblueprint$''',
+            '''ApolloSQLite.xcodeproj/project.xcworkspace/xcshareddata/ApolloSQLite.xcscmblueprint$''',
+            '''Apollo.xcworkspace/xcshareddata/Apollo.xcscmblueprint$''',
         ]
+