chore: Add a .gitleaks.toml to fix the false/positives from the infosec scans

[lholmquist]

There were some invalid access tokens in some of the test files that were triggering the infosec scans to report false positives.

After talking with that group, it was recommended that we add this .gitleaks.toml file and add those to the allowed list so the scans would not report them.

I confirmed that the scan ignores these by running the rh-gitleaks tool locally.

cc @kim-tsao

Hey, I just made a Pull Request!

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Review Summary by Qodo

Add .gitleaks.toml to suppress false positive token detections

📦 Other

Walkthroughs

Description

• Add .gitleaks.toml configuration file
• Allowlist three test tokens to prevent false positives
• Suppress infosec scan warnings for known test credentials

Diagram

flowchart LR
  A["Infosec Scans"] -- "detect test tokens" --> B["False Positives"]
  C[".gitleaks.toml"] -- "allowlist tokens" --> B
  B -- "suppressed" --> D["Clean Scan Results"]

Loading

File Changes

1. .gitleaks.toml ⚙️ Configuration changes +8/-0

Add gitleaks allowlist configuration for test tokens

• Create new gitleaks configuration file with allowlist section
• Add three test token patterns to the allowlist regex list
• Prevent infosec scanner from flagging known test credentials

.gitleaks.toml

---

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Global token allowlist 🐞 Bug ⛨ Security

Description

The new .gitleaks.toml globally allowlists full token-like values, meaning if any of these values
ever appear outside the intended test fixtures, gitleaks will silently ignore them and you may miss
a real leak. Since these values come from test fixtures, a safer approach is to redact/replace them
in fixtures (or scope allowlisting to fixture paths) rather than allowlisting the raw token strings
repo-wide.

Code

.gitleaks.toml[R1-8]

+[allowlist]
+description = "Global Allowlist"
+
+regexes = [
+  '''ABTLWHOULUVAXGTRYU7OC2876QJ2O''',
+  '''GR1348941oP5naQnWsbJRTvXHC7VJ''',
+  '''ghs_16C7e42F292c6912E7710c838347Ae178B4a''',
+]

Evidence

The PR adds a global allowlist of token-like strings. Those exact values appear in bulk-import
backend test fixtures that are served verbatim by MSW handlers, so the token contents are test data
and can typically be replaced with non-secret placeholders instead of suppressing detections across
the entire repository.

.gitleaks.toml[1-8]
workspaces/bulk-import/plugins/bulk-import-backend/fixtures/github/app/installations/app-installation-1-access-tokens.json[1-4]
workspaces/bulk-import/plugins/bulk-import-backend/fixtures/github/repos/my-ent-org-2/A2/repo.json[205-223]
workspaces/bulk-import/plugins/bulk-import-backend/fixtures/github/user/repos.json[94-103]
workspaces/bulk-import/plugins/bulk-import-backend/fixtures/handlers.ts[24-36]
workspaces/bulk-import/plugins/bulk-import-backend/fixtures/handlers.ts[53-64]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A repo-wide gitleaks allowlist containing full token-like values suppresses detection everywhere and keeps realistic token strings in the repository.

## Issue Context
The allowlisted strings appear to come from bulk-import backend MSW fixtures.

## Fix Focus Areas
- .gitleaks.toml[1-8]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/github/app/installations/app-installation-1-access-tokens.json[1-4]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/github/repos/my-ent-org-2/A2/repo.json[205-223]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/github/user/repos.json[94-103]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/handlers.ts[24-36]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/handlers.ts[53-64]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unanchored allowlist patterns 🐞 Bug ⛨ Security

Description

The allowlist uses regex entries that are not explicitly anchored, which increases the chance of
accidentally matching more than intended if these values ever appear as substrings in other detected
secrets or data. Anchoring to exact matches (and adding brief comments) makes the allowlist safer
and easier to audit.

Code

.gitleaks.toml[R4-8]

+regexes = [
+  '''ABTLWHOULUVAXGTRYU7OC2876QJ2O''',
+  '''GR1348941oP5naQnWsbJRTvXHC7VJ''',
+  '''ghs_16C7e42F292c6912E7710c838347Ae178B4a''',
+]

Evidence

The PR uses the regexes mechanism and provides bare token strings as regex patterns. Adding
^...$ anchors would clearly constrain the allowlist to exact matches only and reduce accidental
broad suppression.

.gitleaks.toml[4-8]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Allowlist values are provided as unanchored regex patterns, which is less safe/auditable than exact-match anchoring.

## Issue Context
These entries look like exact tokens rather than patterns; anchoring makes intent explicit.

## Fix Focus Areas
- .gitleaks.toml[4-8]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Unjustified allowlist value 🐞 Bug ⛨ Security

Description

The allowlist includes a third token-like value (GR1348941oP5naQnWsbJRTvXHC7VJ) that is not shown in
the known fixture examples alongside the other two values, making it hard to audit why it must be
suppressed. Unexplained allowlist entries increase the chance of hiding a real future finding;
remove it or document the exact fixture/path/field that requires it.

Code

.gitleaks.toml[R5-7]

+  '''ABTLWHOULUVAXGTRYU7OC2876QJ2O''',
+  '''GR1348941oP5naQnWsbJRTvXHC7VJ''',
+  '''ghs_16C7e42F292c6912E7710c838347Ae178B4a''',

Evidence

Two allowlisted values clearly correspond to fixture values (temp_clone_token and token). The
GR... value is present in the global allowlist but does not appear in the inspected fixture
examples, so its origin/purpose should be documented (or the entry removed).

.gitleaks.toml[4-8]
workspaces/bulk-import/plugins/bulk-import-backend/fixtures/github/user/repos.json[99-103]
workspaces/bulk-import/plugins/bulk-import-backend/fixtures/github/app/installations/app-installation-1-access-tokens.json[1-3]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
An unexplained token-like value is allowlisted globally without clear provenance.

## Issue Context
Other allowlisted values map to fixture fields; this one should as well, or be removed.

## Fix Focus Areas
- .gitleaks.toml[4-8]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

1. Global token allowlist 🐞 Bug ⛨ Security

The new .gitleaks.toml globally allowlists full token-like values, meaning if any of these values
ever appear outside the intended test fixtures, gitleaks will silently ignore them and you may miss
a real leak. Since these values come from test fixtures, a safer approach is to redact/replace them
in fixtures (or scope allowlisting to fixture paths) rather than allowlisting the raw token strings
repo-wide.

Agent Prompt

## Issue description
A repo-wide gitleaks allowlist containing full token-like values suppresses detection everywhere and keeps realistic token strings in the repository.

## Issue Context
The allowlisted strings appear to come from bulk-import backend MSW fixtures.

## Fix Focus Areas
- .gitleaks.toml[1-8]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/github/app/installations/app-installation-1-access-tokens.json[1-4]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/github/repos/my-ent-org-2/A2/repo.json[205-223]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/github/user/repos.json[94-103]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/handlers.ts[24-36]
- workspaces/bulk-import/plugins/bulk-import-backend/__fixtures__/handlers.ts[53-64]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools