7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
2.3 KiB
2.3 KiB
ADR-0001: Remove detect-secrets in favor of gitleaks
Date: 2026-02-28 Status: Accepted
Context
The repository used two pre-commit secret scanners:
- detect-secrets (Yelp) — entropy + pattern analysis, tracking false positives
in a
.secrets.baselineJSON file (173 KB, ~5200 lines) - gitleaks — pattern-based detection with path/regex allowlists in
.gitleaks.toml
Problems with detect-secrets
detect-secrets tracks known false positives using line numbers in
.secrets.baseline. When any file changes above a flagged line, the baseline
shifts and must be regenerated. This caused:
- Constant merge conflicts on
.secrets.baselineacross branches - Manual re-staging of the baseline on every commit touching flagged files
- 173 KB of PR churn unrelated to actual secret scanning
All 34 entropy-only detections in the baseline were verified as false positives (git SHAs, GPG fingerprints, base64 character sets, test fixtures).
Why gitleaks is sufficient
- gitleaks uses path-based and regex-based allowlists (
.gitleaks.toml) that are stable across line changes — no baseline regeneration needed - gitleaks covers every service-specific detector that detect-secrets provides (AWS, GitHub, Stripe, Slack, etc.)
- gitleaks runs as both a pre-commit hook and in CI workflows
(
gitleaks.ymlon PRs,gitleaks-main.ymlas release gate) - Additional CI coverage from Semgrep (
p/secrets) and Bearer (scanner: sast,secrets) in the release gate
Decision
Remove detect-secrets entirely:
- Delete the
Yelp/detect-secretshook from.pre-commit-config.yaml - Delete
.secrets.baseline - Clean up references in
.gitleaks.toml,.gitleaksignore,CODEOWNERS,danger-zone-alert.yml,SECURITY_REVIEW_PROCESS.md,SECURITY.md, and.file-whitelist.txt
Do not re-add detect-secrets. Use .gitleaks.toml allowlists for managing
false positives instead.
Consequences
- Eliminates merge conflicts and churn from
.secrets.baseline - Simplifies the pre-commit pipeline (one secret scanner instead of two)
- False positives are managed via
.gitleaks.tomlpath/regex allowlists and.gitleaksignorecommit fingerprints, both of which are stable across line-number changes - No loss of detection coverage — gitleaks + Semgrep + Bearer provide equivalent or better coverage