From 4e35bc38b2c4a4f3fbe4946a79a5ebbfd33b615d Mon Sep 17 00:00:00 2001
From: agar <antoningaranto@protonmail.com>
Date: Thu, 4 Sep 2025 08:47:52 +0200
Subject: [PATCH 1/2] feat(gitleaks): test

---
 .github/workflows/ci.yml |  4 ++
 .gitleaks.toml           | 79 ++++++++++++++++++++++++++++++++++++++++
 src/handler.ts           |  2 +-
 3 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 .gitleaks.toml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aa885f6..0a538f7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,7 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions: write-all
     
     strategy:
       matrix:
@@ -20,6 +21,9 @@ jobs:
     - uses: gitleaks/gitleaks-action@v2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_ENABLE_UPLOAD_ARTIFACT: 'false'
+        GITLEAKS_VERSION: '8.28.0'
+        GITLEAKS_LOG_LEVEL: 'trace'
     
     - name: Use Node.js ${{ matrix.node-version }}
       uses: actions/setup-node@v4
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..a380272
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,79 @@
+title = "Custom Gitleaks Config for GC Secrets"
+
+# Extend the default gitleaks config to keep all standard rules
+[extend]
+useDefault = true
+
+# Rule for gc_client_id - catches any non-empty value
+[[rules]]
+id = "gc-client-id"
+description = "GC Client ID - any non-empty value"
+regex = '''gc_client_id['"]?\s*[:=]\s*['"]([^'"\s]+)['"]'''
+keywords = ["gc_client_id"]
+tags = ["gc", "client", "id"]
+
+# Rule for gc_client_secret - catches any non-empty value
+[[rules]]
+id = "gc-client-secret"
+description = "GC Client Secret - any non-empty value"
+regex = '''gc_client_secret['"]?\s*[:=]\s*['"]([^'"\s]+)['"]'''
+keywords = ["gc_client_secret"]
+tags = ["gc", "client", "secret"]
+
+# Alternative broader rules that catch various formatting styles
+
+# Catches gc_client_id with various quote styles and spacing
+[[rules]]
+id = "gc-client-id-broad"
+description = "GC Client ID with flexible formatting"
+regex = '''gc_client_id\s*[=:]\s*["'`]?([^"'`\s,;}]+)["'`]?'''
+keywords = ["gc_client_id"]
+tags = ["gc", "client", "id"]
+
+# Catches gc_client_secret with various quote styles and spacing
+[[rules]]
+id = "gc-client-secret-broad"
+description = "GC Client Secret with flexible formatting"
+regex = '''gc_client_secret\s*[=:]\s*["'`]?([^"'`\s,;}]+)["'`]?'''
+keywords = ["gc_client_secret"]
+tags = ["gc", "client", "secret"]
+
+# Super aggressive rules that catch ANY line containing these keys with values
+
+# Any line with gc_client_id and a value
+[[rules]]
+id = "gc-client-id-any"
+description = "Any line with gc_client_id and a value"
+regex = '''(?i)gc_client_id.*[:=].*\S+'''
+keywords = ["gc_client_id"]
+tags = ["gc", "client", "id"]
+
+# Any line with gc_client_secret and a value
+[[rules]]
+id = "gc-client-secret-any"
+description = "Any line with gc_client_secret and a value"
+regex = '''(?i)gc_client_secret.*[:=].*\S+'''
+keywords = ["gc_client_secret"]
+tags = ["gc", "client", "secret"]
+
+# Allowlist section - you can add patterns to ignore false positives
+[allowlist]
+# Example: Ignore if the value is explicitly empty or a placeholder
+paths = [
+  '''test/.*''',  # Ignore test directories
+  '''.*\.test\..*''',  # Ignore test files
+]
+
+# You can also allowlist specific commit patterns
+commits = [
+  '''(?i)(test|testing|example)''',  # Ignore commits with "test" in the message
+]
+
+# Uncomment below to allowlist specific patterns (be careful with this!)
+# [[allowlist.regexes]]
+# regex = '''gc_client_id:\s*["']?["']?'''  # Would ignore empty values
+# description = "Ignore empty gc_client_id"
+
+# [[allowlist.regexes]]
+# regex = '''gc_client_secret:\s*["']?["']?'''  # Would ignore empty values  
+# description = "Ignore empty gc_client_secret"
\ No newline at end of file
diff --git a/src/handler.ts b/src/handler.ts
index af88721..a23e8cc 100644
--- a/src/handler.ts
+++ b/src/handler.ts
@@ -70,7 +70,7 @@ if (require.main === module) {
     clientContext: {
       gc_client_id: '',
       gc_client_secret: '',
-      gc_aws_region: 'us-east-1'
+      gc_aws_region: '',
     }
   };
 

From ea84998639324113cae0143e1f20db2555b3b1a5 Mon Sep 17 00:00:00 2001
From: agar <antoningaranto@protonmail.com>
Date: Thu, 11 Sep 2025 08:32:12 +0200
Subject: [PATCH 2/2] feat(gitleaks): adapt custom config

---
 .gitleaks.toml | 60 +-------------------------------------------------
 1 file changed, 1 insertion(+), 59 deletions(-)

diff --git a/.gitleaks.toml b/.gitleaks.toml
index a380272..0d3d6e1 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -4,42 +4,6 @@ title = "Custom Gitleaks Config for GC Secrets"
 [extend]
 useDefault = true
 
-# Rule for gc_client_id - catches any non-empty value
-[[rules]]
-id = "gc-client-id"
-description = "GC Client ID - any non-empty value"
-regex = '''gc_client_id['"]?\s*[:=]\s*['"]([^'"\s]+)['"]'''
-keywords = ["gc_client_id"]
-tags = ["gc", "client", "id"]
-
-# Rule for gc_client_secret - catches any non-empty value
-[[rules]]
-id = "gc-client-secret"
-description = "GC Client Secret - any non-empty value"
-regex = '''gc_client_secret['"]?\s*[:=]\s*['"]([^'"\s]+)['"]'''
-keywords = ["gc_client_secret"]
-tags = ["gc", "client", "secret"]
-
-# Alternative broader rules that catch various formatting styles
-
-# Catches gc_client_id with various quote styles and spacing
-[[rules]]
-id = "gc-client-id-broad"
-description = "GC Client ID with flexible formatting"
-regex = '''gc_client_id\s*[=:]\s*["'`]?([^"'`\s,;}]+)["'`]?'''
-keywords = ["gc_client_id"]
-tags = ["gc", "client", "id"]
-
-# Catches gc_client_secret with various quote styles and spacing
-[[rules]]
-id = "gc-client-secret-broad"
-description = "GC Client Secret with flexible formatting"
-regex = '''gc_client_secret\s*[=:]\s*["'`]?([^"'`\s,;}]+)["'`]?'''
-keywords = ["gc_client_secret"]
-tags = ["gc", "client", "secret"]
-
-# Super aggressive rules that catch ANY line containing these keys with values
-
 # Any line with gc_client_id and a value
 [[rules]]
 id = "gc-client-id-any"
@@ -54,26 +18,4 @@ id = "gc-client-secret-any"
 description = "Any line with gc_client_secret and a value"
 regex = '''(?i)gc_client_secret.*[:=].*\S+'''
 keywords = ["gc_client_secret"]
-tags = ["gc", "client", "secret"]
-
-# Allowlist section - you can add patterns to ignore false positives
-[allowlist]
-# Example: Ignore if the value is explicitly empty or a placeholder
-paths = [
-  '''test/.*''',  # Ignore test directories
-  '''.*\.test\..*''',  # Ignore test files
-]
-
-# You can also allowlist specific commit patterns
-commits = [
-  '''(?i)(test|testing|example)''',  # Ignore commits with "test" in the message
-]
-
-# Uncomment below to allowlist specific patterns (be careful with this!)
-# [[allowlist.regexes]]
-# regex = '''gc_client_id:\s*["']?["']?'''  # Would ignore empty values
-# description = "Ignore empty gc_client_id"
-
-# [[allowlist.regexes]]
-# regex = '''gc_client_secret:\s*["']?["']?'''  # Would ignore empty values  
-# description = "Ignore empty gc_client_secret"
\ No newline at end of file
+tags = ["gc", "client", "secret"]
\ No newline at end of file