.gitleaks.toml

# This file exists primarily to influence scheduled scans that Apollo runs of all repos in Apollo-managed orgs.
# This is an Apollo-Internal link, but more information about these scans is available here:
# https://apollographql.atlassian.net/wiki/spaces/SecOps/pages/81330213/Everything+Static+Application+Security+Testing#Scheduled-Scans.1
#
# Apollo is using Gitleaks (https://github.com/gitleaks/gitleaks) to run these scans.
# However, this file is not something that Gitleaks natively consumes. This file is an
# Apollo-convention. Prior to scanning a repo, Apollo merges
# our standard Gitleaks configuration (which is largely just the Gitleaks-default config) with
# this file if it exists in a repo. The combined config is then used to scan a repo.
#
# We did this because the natively-supported allowlisting functionality in Gitleaks didn't do everything we wanted
# or wasn't as robust as we needed. For example, one of the allowlisting options offered by Gitleaks depends on the line number
# on which a false positive secret exists to allowlist it. (https://github.com/gitleaks/gitleaks#gitleaksignore).
# This creates a fairly fragile allowlisting mechanism. This file allows us to leverage the full capabilities of the Gitleaks rule syntax
# to create allowlisting functionality.


[[ rules ]]
    id = "generic-api-key"
    [ rules.allowlist ]
        commits = [
            # This creates an allowlist for a UUID that was
            # used as an identifier, but is not secret
            # See https://github.com/apollographql/vscode-graphql/blob/a905280c143991b3fd675f8b4c3a7da277ccf095/packages/apollo-language-server/src/engine/index.ts#L86
            "a905280c143991b3fd675f8b4c3a7da277ccf095"
        ]

[[ rules ]]
    id = "private-key"
    [ rules.allowlist ]
        paths = [
            '''sampleWorkspace/httpSchema/self-signed.key$''',
        ]