7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
61 lines
2.3 KiB
Markdown
61 lines
2.3 KiB
Markdown
# ADR-0001: Remove detect-secrets in favor of gitleaks
|
|
|
|
**Date:** 2026-02-28
|
|
**Status:** Accepted
|
|
|
|
## Context
|
|
|
|
The repository used two pre-commit secret scanners:
|
|
|
|
1. **detect-secrets** (Yelp) — entropy + pattern analysis, tracking false positives
|
|
in a `.secrets.baseline` JSON file (173 KB, ~5200 lines)
|
|
2. **gitleaks** — pattern-based detection with path/regex allowlists in
|
|
`.gitleaks.toml`
|
|
|
|
### Problems with detect-secrets
|
|
|
|
detect-secrets tracks known false positives using **line numbers** in
|
|
`.secrets.baseline`. When any file changes above a flagged line, the baseline
|
|
shifts and must be regenerated. This caused:
|
|
|
|
- **Constant merge conflicts** on `.secrets.baseline` across branches
|
|
- **Manual re-staging** of the baseline on every commit touching flagged files
|
|
- **173 KB of PR churn** unrelated to actual secret scanning
|
|
|
|
All 34 entropy-only detections in the baseline were verified as false positives
|
|
(git SHAs, GPG fingerprints, base64 character sets, test fixtures).
|
|
|
|
### Why gitleaks is sufficient
|
|
|
|
- gitleaks uses **path-based and regex-based** allowlists (`.gitleaks.toml`)
|
|
that are stable across line changes — no baseline regeneration needed
|
|
- gitleaks covers every service-specific detector that detect-secrets provides
|
|
(AWS, GitHub, Stripe, Slack, etc.)
|
|
- gitleaks runs as both a **pre-commit hook** and in **CI workflows**
|
|
(`gitleaks.yml` on PRs, `gitleaks-main.yml` as release gate)
|
|
- Additional CI coverage from **Semgrep** (`p/secrets`) and **Bearer**
|
|
(`scanner: sast,secrets`) in the release gate
|
|
|
|
## Decision
|
|
|
|
Remove detect-secrets entirely:
|
|
|
|
- Delete the `Yelp/detect-secrets` hook from `.pre-commit-config.yaml`
|
|
- Delete `.secrets.baseline`
|
|
- Clean up references in `.gitleaks.toml`, `.gitleaksignore`, `CODEOWNERS`,
|
|
`danger-zone-alert.yml`, `SECURITY_REVIEW_PROCESS.md`, `SECURITY.md`,
|
|
and `.file-whitelist.txt`
|
|
|
|
**Do not re-add detect-secrets.** Use `.gitleaks.toml` allowlists for managing
|
|
false positives instead.
|
|
|
|
## Consequences
|
|
|
|
- Eliminates merge conflicts and churn from `.secrets.baseline`
|
|
- Simplifies the pre-commit pipeline (one secret scanner instead of two)
|
|
- False positives are managed via `.gitleaks.toml` path/regex allowlists and
|
|
`.gitleaksignore` commit fingerprints, both of which are stable across
|
|
line-number changes
|
|
- No loss of detection coverage — gitleaks + Semgrep + Bearer provide
|
|
equivalent or better coverage
|