didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

git-gate: restrict gitleaks inline suppression to supervised exceptions #208

New Issue
Closed
opened 2026-06-06 14:40:17 -04:00 by didericis-claude · 0 comments
didericis-claude commented 2026-06-06 14:40:17 -04:00
Collaborator
Copy Link
Copy Source

Background

# gitleaks:allow inline suppression is currently enabled in git-gate (the default gitleaks behaviour). This was useful during early development — test fixtures that deliberately construct credential-shaped strings (e.g. "npm_" + "A" * 36) would otherwise require manual exception entries for every pattern we add.

However, the same mechanism means any agent with write access to the repo could silence a real-secret finding by appending # gitleaks:allow to the offending line. That bypasses git-gate entirely and is not detectable after the fact from the commit diff alone.

What should change

Add a supervisor control flow for gitleaks findings:

  1. When git-gate detects a # gitleaks:allow annotation on a finding, route it to the supervisor rather than auto-allowing it.
  2. The supervisor presents the flagged line + file path and asks the human to confirm one of:
    • Allow (test fixture): the file is under tests/ or similar and the value is clearly a dummy credential.
    • Allow (false positive): the pattern matched something that is not actually a secret (e.g. a regex literal, a documentation example).
    • Block: the annotation looks like an attempt to sneak a real secret through.
  3. Only on explicit human approval does the push proceed.

This keeps # gitleaks:allow usable as a developer convenience while closing the agent-bypass path — the agent can write the annotation, but a human still has to confirm it before it lands.

Scope

  • Changes to git-gate pre-receive hook logic (or a wrapper around it).
  • The supervisor UI/flow for this case (similar to existing egress-block and capability-block supervisor controls).
  • Until this is implemented, # gitleaks:allow remains enabled as-is; the risk is accepted for the current development phase.

References

## Background `# gitleaks:allow` inline suppression is currently enabled in git-gate (the default gitleaks behaviour). This was useful during early development — test fixtures that deliberately construct credential-shaped strings (e.g. `"npm_" + "A" * 36`) would otherwise require manual exception entries for every pattern we add. However, the same mechanism means any agent with write access to the repo could silence a real-secret finding by appending `# gitleaks:allow` to the offending line. That bypasses git-gate entirely and is not detectable after the fact from the commit diff alone. ## What should change Add a **supervisor control flow** for gitleaks findings: 1. When git-gate detects a `# gitleaks:allow` annotation on a finding, route it to the supervisor rather than auto-allowing it. 2. The supervisor presents the flagged line + file path and asks the human to confirm one of: - **Allow (test fixture):** the file is under `tests/` or similar and the value is clearly a dummy credential. - **Allow (false positive):** the pattern matched something that is not actually a secret (e.g. a regex literal, a documentation example). - **Block:** the annotation looks like an attempt to sneak a real secret through. 3. Only on explicit human approval does the push proceed. This keeps `# gitleaks:allow` usable as a developer convenience while closing the agent-bypass path — the agent can write the annotation, but a human still has to confirm it before it lands. ## Scope - Changes to git-gate pre-receive hook logic (or a wrapper around it). - The supervisor UI/flow for this case (similar to existing egress-block and capability-block supervisor controls). - Until this is implemented, `# gitleaks:allow` remains enabled as-is; the risk is accepted for the current development phase. ## References - gitleaks inline suppression docs: https://github.com/gitleaks/gitleaks?tab=readme-ov-file#inline-scan-suppression - Existing supervisor controls: `mcp__supervise__egress-block`, `mcp__supervise__capability-block` - PRD 0053 (where the issue was first observed): #205
didericis added the Kind/Security label 2026-06-06 14:40:32 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#208
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?