chore: ignore http-recorder test fixtures in GitGuardian scans#59
Merged
Conversation
The package contains intentionally-fake API-key-shaped strings used as fixtures asserting the http-recorder's secretFindings() redaction logic. Mirrors .gitleaksignore for the GitGuardian scanner. @opencode-ai/http-recorder is upstream-only dev/test code; not a dependency of any shipped package.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".gitguardian.yaml">
<violation number="1" location=".gitguardian.yaml:14">
P2: The ignore pattern is too broad for a secret-scanning exception. Scope this to the specific fixture file (or exact finding) so future real secrets in other test files are still detected.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
PR feedback: ignoring the whole packages/http-recorder/test/** directory is too broad — a future real leak in fixtures/recordings/ would be missed. Narrow to the single record-replay.test.ts file that contains the intentional API-key-shaped fixtures.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
.gitguardian.yamlto suppress the recurring GitGuardian check failure onpackages/http-recorder/test/record-replay.test.ts.Background
PR #58's GitGuardian check failed on a "Google API Key" finding at
packages/http-recorder/test/record-replay.test.ts:122(AIzaSyDHibiBRvJZLsFnPYPoiTwxY4ztQ55yqCE). The "secret" is a test fixture: the file asserts that the http-recorder'ssecretFindings()function correctly detects and redacts Google-API-Key-shaped strings, which requires having a key-shaped string in the input.The string comes from upstream commit
5bb7b2344(anomalyco/opencode — the native LLM core PR adopted in #58). Upstream has its own.gitleaksignorelisting the same lines, but gitleaks and GitGuardian are separate scanners with separate ignore files — and our org's GitHub check uses GitGuardian.Why this is safe
@opencode-ai/http-recorderis upstream-only dev/test code. Not a dependency ofbrowsercode-core,bcode-browser, orbcode-laminar— verified by grepping theirpackage.jsonfiles.Without this fix
Every future upstream sync will keep re-triggering this check (upstream isn't going to delete a test fixture), so each sync PR would have to be merged over a red GitGuardian check. This adds 14 lines of YAML and the noise goes away.