git-gate: match the bottle's injected known secrets, not just gitleaks patterns #346
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
There's an asymmetry in how the two exfiltration chokepoints decide what's a secret:
known_secretsand blocked regardless of shape (plustoken_patternsfor shape-based catches).So a secret that doesn't match any bundled gitleaks rule can be exfiltrated via
git pusheven though the exact same value is blocked on the egress path. gitleaks only reliably flags separator-prefixed, high-entropy tokens (ghp_,xoxb-,glpat-, …) in a bare/keyword-free context; it does not catch arbitrary API keys, a bare hex/base64 blob, the canonical AWS example key (allowlisted), or provider keys that need a nearby keyword (AWS/GCP). A malicious agent can therefore embed a known-injected secret in a committed file in a shape gitleaks ignores and push it out.Discovered via
The sandbox-escape integration test (
tests/integration/test_sandbox_escape.py, attack 5). We had to reshape its planted secrets to gitleaks-pattern-matchable values (github/slack/gitlab) just to get the push actually rejected — which itself demonstrates the gap: the original fixtures (anthropic key, AWS example key, generic hex) were blocked on egress but sailed through git-gate.Ask
Feed the bottle's known injected secrets into git-gate's pre-receive scan so push is protected symmetrically with egress. Options:
known_secret, layered on top of the bundled ruleset. Then a singlegitleaks gitinvocation covers both bundled patterns and the injected values.known_secretsmechanism, ideally sharing the same source of truth.Either way the goal is one shared definition of "the secrets this bottle holds" enforced at every egress boundary (HTTP, DNS, git).
Notes
Ref: surfaced alongside the sandbox-escape host-key/gitleaks fixture fixes.