chore(gitleaks): update allowlist to ignore venv #65
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR updates the gitleaks configuration to exclude virtual environment and cache directories from secret scanning. The changes expand the allowlist beyond just the PR title's mention of venv to also include Ruff cache directories, and makes an unrelated cleanup to .gitignore.
Key Changes:
- Expanded gitleaks allowlist to include
venv/,.venv/, and.ruff_cache/directories alongside the existinguv.lockpattern - Removed documentation build directory patterns (
.docs/andsite/) from.gitignore
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.gitleaks.toml |
Added allowlist patterns for virtual environment directories (venv/, .venv/) and Ruff cache directory (.ruff_cache/) to prevent false positive secret detections |
.gitignore |
Removed documentation build directory patterns that are no longer needed |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| '''\.lock$''', | ||
| '''\.snap$''', | ||
| '''uv\.lock$''', | ||
| '''venv/''', |
There was a problem hiding this comment.
The .gitignore file already contains .venv (line 3), which will only ignore that specific directory name at the repository root. However, the gitleaks allowlist pattern \.venv/ uses a regex that will match .venv/ anywhere in the path. Additionally, venv/ in the gitleaks allowlist will match venv/ directories but there's no corresponding entry in .gitignore to prevent these directories from being committed. Consider adding venv/ to .gitignore to maintain consistency between what gitleaks ignores and what git ignores.
| '''venv/''', |
| '''\.ruff_cache/''', | ||
| ] |
There was a problem hiding this comment.
The .ruff_cache/ directory added to the gitleaks allowlist should also be present in .gitignore to prevent it from being committed to the repository. This cache directory is generated by the Ruff linter and typically should not be tracked by git. Consider adding .ruff_cache/ to .gitignore for consistency.
| '''\.ruff_cache/''', | |
| ] | |
| ] |
Summary by cubic
Updated gitleaks allowlist to ignore venv folders (venv/, .venv/) and the ruff cache, and only allow uv.lock. Cleaned up .gitignore by removing old docs build paths (.docs/ and site/).
Written for commit c5acf4c. Summary will update automatically on new commits.