Gitleaks Explicitly Allowlists All Files Containing Secrets
Repository's Gitleaks config explicitly exempts the precise env files containing secrets (.env.ci, .env.dev, .env.prod), neutralizing the scanner's value. Fixed by removing env files from the paths allowlist.
Description
The repository ships a Gitleaks configuration, suggesting active intent to prevent secret leakage. However, the [allowlist] section explicitly exempts precisely the files that contain the most critical secrets:
paths = ['''\\.env\\.ci$''','''\\.env\\.local\\.sample$''','''\\.env\\.dev$''','''\\.env\\.prod$''','''\\.mock\\.ts$''','''\\.stub\\.ts$''',...]
We understand dev acknowledges this but this still should be reported as INFORMATIONAL only.
Impact
Gitleaks running locally or in CI will silently pass even when these files contain plaintext secrets, eliminating the scanner's value as a defense.
Recommendation
Remove .env.ci, .env.local.sample, .env.dev, and .env.prod from the Gitleaks allowlist paths immediately.
Enforce Gitleaks as a blocking CI check on all branches, not just main.
Resolution
Fixed in PR #3748, env files were removed from the .gitleaks.toml paths allowlist and per-line # gitleaks:allow annotations were added to known-safe fixtures only.
