Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

2.3 KiB

ADR-0001: Remove detect-secrets in favor of gitleaks

Date: 2026-02-28 Status: Accepted

Context

The repository used two pre-commit secret scanners:

  1. detect-secrets (Yelp) — entropy + pattern analysis, tracking false positives in a .secrets.baseline JSON file (173 KB, ~5200 lines)
  2. gitleaks — pattern-based detection with path/regex allowlists in .gitleaks.toml

Problems with detect-secrets

detect-secrets tracks known false positives using line numbers in .secrets.baseline. When any file changes above a flagged line, the baseline shifts and must be regenerated. This caused:

  • Constant merge conflicts on .secrets.baseline across branches
  • Manual re-staging of the baseline on every commit touching flagged files
  • 173 KB of PR churn unrelated to actual secret scanning

All 34 entropy-only detections in the baseline were verified as false positives (git SHAs, GPG fingerprints, base64 character sets, test fixtures).

Why gitleaks is sufficient

  • gitleaks uses path-based and regex-based allowlists (.gitleaks.toml) that are stable across line changes — no baseline regeneration needed
  • gitleaks covers every service-specific detector that detect-secrets provides (AWS, GitHub, Stripe, Slack, etc.)
  • gitleaks runs as both a pre-commit hook and in CI workflows (gitleaks.yml on PRs, gitleaks-main.yml as release gate)
  • Additional CI coverage from Semgrep (p/secrets) and Bearer (scanner: sast,secrets) in the release gate

Decision

Remove detect-secrets entirely:

  • Delete the Yelp/detect-secrets hook from .pre-commit-config.yaml
  • Delete .secrets.baseline
  • Clean up references in .gitleaks.toml, .gitleaksignore, CODEOWNERS, danger-zone-alert.yml, SECURITY_REVIEW_PROCESS.md, SECURITY.md, and .file-whitelist.txt

Do not re-add detect-secrets. Use .gitleaks.toml allowlists for managing false positives instead.

Consequences

  • Eliminates merge conflicts and churn from .secrets.baseline
  • Simplifies the pre-commit pipeline (one secret scanner instead of two)
  • False positives are managed via .gitleaks.toml path/regex allowlists and .gitleaksignore commit fingerprints, both of which are stable across line-number changes
  • No loss of detection coverage — gitleaks + Semgrep + Bearer provide equivalent or better coverage