From c8eceadb8048d985445ace2c9b14fb86c71ce74b Mon Sep 17 00:00:00 2001 From: Tianning Li Date: Mon, 30 Mar 2026 16:12:41 -0400 Subject: [PATCH 1/3] =?UTF-8?q?test:=20gitleaks=20smoke=20test=20=E2=80=94?= =?UTF-8?q?=20intentional=20fake=20credential?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a dedicated smoke-test script containing a fake AWS access key (AKIAIOSFODNN7EXAMPLE) and fake AWS secret key to verify that the gitleaks Secrets Scan CI job correctly detects and blocks credential- shaped strings committed to a PR. This file is intentionally flagged and must NOT be merged to main. Delete this branch after confirming the CI job fails. See: .github/workflows/secrets-scan.yml (added in PR #1134) Co-Authored-By: Claude Sonnet 4.6 --- integration-tests/gitleaks-smoke-test.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 integration-tests/gitleaks-smoke-test.sh diff --git a/integration-tests/gitleaks-smoke-test.sh b/integration-tests/gitleaks-smoke-test.sh new file mode 100644 index 000000000..795be0ceb --- /dev/null +++ b/integration-tests/gitleaks-smoke-test.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# SMOKE TEST ONLY — do not merge to main +# +# This file exists solely to verify that the gitleaks Secrets Scan CI job +# correctly blocks PRs containing credential-shaped strings. +# +# After confirming the CI job fails on this branch, delete this file and +# remove this branch. +# +# See: .github/workflows/secrets-scan.yml +# See: PR #1134 test plan — "Optional smoke test" step + +# Fake AWS access key that matches the AKIA[A-Z0-9]{16} pattern. +# This key is from official AWS documentation and is not a real credential. +# Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html +FAKE_AWS_KEY="AKIAIOSFODNN7EXAMPLE" +FAKE_AWS_SECRET="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + +echo "This file is intentionally flagged by gitleaks for smoke-test purposes." +echo "Key: $FAKE_AWS_KEY" From 18d9930420e23a4f74ac4fbb3d90d6ccc69589c4 Mon Sep 17 00:00:00 2001 From: Tianning Li Date: Mon, 30 Mar 2026 16:21:17 -0400 Subject: [PATCH 2/3] test: use non-allowlisted fake credentials in gitleaks smoke test The canonical AWS doc examples (AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI...) are in gitleaks' internal global allowlist and are not flagged. Replace with unique fake values that match the AKIA[A-Z0-9]{16} pattern but are not suppressed, so the Secrets Scan CI job actually triggers. Co-Authored-By: Claude Sonnet 4.6 --- integration-tests/gitleaks-smoke-test.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/integration-tests/gitleaks-smoke-test.sh b/integration-tests/gitleaks-smoke-test.sh index 795be0ceb..b423ba40c 100644 --- a/integration-tests/gitleaks-smoke-test.sh +++ b/integration-tests/gitleaks-smoke-test.sh @@ -11,10 +11,11 @@ # See: PR #1134 test plan — "Optional smoke test" step # Fake AWS access key that matches the AKIA[A-Z0-9]{16} pattern. -# This key is from official AWS documentation and is not a real credential. -# Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html -FAKE_AWS_KEY="AKIAIOSFODNN7EXAMPLE" -FAKE_AWS_SECRET="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" +# NOT a real credential — generated for smoke-test purposes only. +# Deliberately avoids the canonical AWS doc examples (AKIAIOSFODNN7EXAMPLE) +# which are in gitleaks' internal global allowlist and would not be flagged. +FAKE_AWS_KEY="AKIAVQD12YX3RSMOKETEST" +FAKE_AWS_SECRET="sM0keT3st+FaKeK3y/ABCDEFGHIJ1234567890ab" echo "This file is intentionally flagged by gitleaks for smoke-test purposes." echo "Key: $FAKE_AWS_KEY" From 9bd81b95af138496b47e443e0921928b978b797b Mon Sep 17 00:00:00 2001 From: Tianning Li Date: Mon, 30 Mar 2026 16:28:27 -0400 Subject: [PATCH 3/3] test: fix fake AWS key length to exactly 20 chars for gitleaks match The previous key AKIAVQD12YX3RSMOKETEST was 22 chars but gitleaks' aws-access-token rule requires exactly AKIA[A-Z0-9]{16} (20 total). Use AKIAT3STFAKEKEY12345 which is the correct length. Co-Authored-By: Claude Sonnet 4.6 --- integration-tests/gitleaks-smoke-test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-tests/gitleaks-smoke-test.sh b/integration-tests/gitleaks-smoke-test.sh index b423ba40c..016c4564c 100644 --- a/integration-tests/gitleaks-smoke-test.sh +++ b/integration-tests/gitleaks-smoke-test.sh @@ -14,7 +14,7 @@ # NOT a real credential — generated for smoke-test purposes only. # Deliberately avoids the canonical AWS doc examples (AKIAIOSFODNN7EXAMPLE) # which are in gitleaks' internal global allowlist and would not be flagged. -FAKE_AWS_KEY="AKIAVQD12YX3RSMOKETEST" +FAKE_AWS_KEY="AKIAT3STFAKEKEY12345" FAKE_AWS_SECRET="sM0keT3st+FaKeK3y/ABCDEFGHIJ1234567890ab" echo "This file is intentionally flagged by gitleaks for smoke-test purposes."