chore: sync security config files (#107)

* chore: sync semgrep.yaml from security-config

* chore: sync .gitleaksignore from security-config

* chore: sync .gitleaksignore from security-config

* chore: sync .gitleaks.toml from security-config

* chore: sync .gitleaks.toml from security-config

---------

Co-authored-by: security-config-sync[bot] <265242129+security-config-sync[bot]@users.noreply.github.com>

Author: security-config-sync[bot]

.gitleaks.toml

@@ -0,0 +1,57 @@
+# Gitleaks configuration for opendatahub-io repos
+# Synced from security-config. Do not edit in target repos.
+#
+# Path allowlists use Go regex syntax.
+# Real credentials should NEVER be committed to any repository.
+
+[extend]
+  useDefault = true
+
+[allowlist]
+  description = "Exclude test fixtures, mock data, sample configs, and CI resources"
+  paths = [
+    # Go testdata directories
+    '''testdata/''',
+
+    # Python test data directories
+    '''test_data/''',
+
+    # Test fixtures
+    '''fixtures/''',
+
+    # JavaScript/TypeScript mocks
+    '''__mocks__/''',
+
+    # Go/Java/TS mock directories
+    '''mocks/''',
+    '''k8mocks/''',
+
+    # Sample and example configs with placeholder credentials
+    '''docs/samples/''',
+    '''config/samples/''',
+    '''config/overlays/test/''',
+
+    # CI/GitHub Actions test resources
+    '''\.github/resources/''',
+
+    # E2E test credentials
+    '''test/e2e/credentials/''',
+    '''tests/e2e/credentials/''',
+
+    # OpenShift CI sample resources
+    '''openshift-ci/resources/samples/''',
+
+    # Cypress test data
+    '''cypress/fixtures/''',
+    '''cypress/tests/mocked/''',
+
+    # Test certificate and key files
+    '''tests/data/.*\.(pem|crt|key)$''',
+  ]
+
+  # Known test/placeholder credentials used in documentation and tests
+  regexes = [
+    '''database-password\s*:\s*"?(The)?BlurstOfTimes"?''',
+    '''database-user\s*:\s*"?mlmduser"?''',
+    '''database-user\s*:\s*"?modelregistryuser"?''',
+  ]

.gitleaksignore

@@ -0,0 +1,5 @@
+# Gitleaks ignore file
+# Add false positive fingerprints below (one per line)
+# Format: commit:file:rule-id:line or file:rule-id:line
+#
+# For path-based exclusions, use .gitleaks.toml allowlist instead.