From 3d814126f5f469f378c2b52a6ecfdf0baa590583 Mon Sep 17 00:00:00 2001 From: Madhavendra Rathore Date: Thu, 16 Jul 2026 17:27:49 +0530 Subject: [PATCH] chore: allowlist Arrow IPC base64 false positives in .gitleaksignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Databricks global pre-push secret scanner runs `gitleaks detect` over each new branch's commit range. The `aws-access-token` rule (which targets AKIA…/ASIA…-style keys) collides with high-entropy base64 substrings inside the Apache Arrow IPC payloads stored in the arrowbased testdata fixtures ("batch": "/////..."), producing 24 false positives across 8 files. These are binary result data, not credentials (entropy ~1.5 vs ~4.3+ for a real key). All were introduced by f27a47b ("Fetch results in arrow format", #109), so they re-surface on every new branch whose scan range walks back through history and re-includes that commit — even for commits that never touch these files, forcing SKIP_SECRET_SCAN=1 on unrelated pushes. Committing a repo-root .gitleaksignore (the same fix databricks-driver-test uses) suppresses them permanently for all branches. Co-authored-by: Isaac Signed-off-by: Madhavendra Rathore --- .gitleaksignore | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .gitleaksignore diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 00000000..4d83be3b --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,40 @@ +# gitleaks finding suppression file (read automatically by `gitleaks +# detect`, which the Databricks global pre-push hook runs). +# +# False positive: these testdata fixtures embed Apache Arrow IPC +# payloads as base64 ("batch": "/////..."), which are binary result +# data — NOT credentials. The gitleaks `aws-access-token` rule (which +# targets AKIA…/ASIA…-style keys) collides with arbitrary high-entropy +# base64 substrings inside the Arrow chunk (entropy ~1.5 vs ~4.3+ for a +# real AWS key). +# +# `gitleaks detect` fingerprints are commit-SHA-prefixed. All of these +# were introduced by commit f27a47b ("Fetch results in arrow format", +# #109), so they re-surface whenever a new branch's scan range walks +# back through history and re-includes that commit — even for commits +# that never touch these files. + +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/all_types.json:aws-access-token:291 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/all_types_arrow_schema.json:aws-access-token:299 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/all_types_native_complex.json:aws-access-token:280 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/all_types_time_strings.json:aws-access-token:291 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/all_types_with_schema_native.json:aws-access-token:280 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/arrays_native.json:aws-access-token:242 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:197 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:201 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:209 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:213 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:225 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:253 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:265 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:277 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:285 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:293 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:317 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:329 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:345 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:369 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:373 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:389 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/diamonds.json:aws-access-token:409 +f27a47bb8e2208f6963393bbe4504b6e2b600648:internal/rows/arrowbased/testdata/structs_native.json:aws-access-token:61