Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

61 lines
2.3 KiB
Markdown

# ADR-0001: Remove detect-secrets in favor of gitleaks
**Date:** 2026-02-28
**Status:** Accepted
## Context
The repository used two pre-commit secret scanners:
1. **detect-secrets** (Yelp) — entropy + pattern analysis, tracking false positives
in a `.secrets.baseline` JSON file (173 KB, ~5200 lines)
2. **gitleaks** — pattern-based detection with path/regex allowlists in
`.gitleaks.toml`
### Problems with detect-secrets
detect-secrets tracks known false positives using **line numbers** in
`.secrets.baseline`. When any file changes above a flagged line, the baseline
shifts and must be regenerated. This caused:
- **Constant merge conflicts** on `.secrets.baseline` across branches
- **Manual re-staging** of the baseline on every commit touching flagged files
- **173 KB of PR churn** unrelated to actual secret scanning
All 34 entropy-only detections in the baseline were verified as false positives
(git SHAs, GPG fingerprints, base64 character sets, test fixtures).
### Why gitleaks is sufficient
- gitleaks uses **path-based and regex-based** allowlists (`.gitleaks.toml`)
that are stable across line changes — no baseline regeneration needed
- gitleaks covers every service-specific detector that detect-secrets provides
(AWS, GitHub, Stripe, Slack, etc.)
- gitleaks runs as both a **pre-commit hook** and in **CI workflows**
(`gitleaks.yml` on PRs, `gitleaks-main.yml` as release gate)
- Additional CI coverage from **Semgrep** (`p/secrets`) and **Bearer**
(`scanner: sast,secrets`) in the release gate
## Decision
Remove detect-secrets entirely:
- Delete the `Yelp/detect-secrets` hook from `.pre-commit-config.yaml`
- Delete `.secrets.baseline`
- Clean up references in `.gitleaks.toml`, `.gitleaksignore`, `CODEOWNERS`,
`danger-zone-alert.yml`, `SECURITY_REVIEW_PROCESS.md`, `SECURITY.md`,
and `.file-whitelist.txt`
**Do not re-add detect-secrets.** Use `.gitleaks.toml` allowlists for managing
false positives instead.
## Consequences
- Eliminates merge conflicts and churn from `.secrets.baseline`
- Simplifies the pre-commit pipeline (one secret scanner instead of two)
- False positives are managed via `.gitleaks.toml` path/regex allowlists and
`.gitleaksignore` commit fingerprints, both of which are stable across
line-number changes
- No loss of detection coverage — gitleaks + Semgrep + Bearer provide
equivalent or better coverage