[DO NOT REVIEW] [SVLS-8660] test: gitleaks smoke test (DO NOT MERGE)#1142
[DO NOT REVIEW] [SVLS-8660] test: gitleaks smoke test (DO NOT MERGE)#1142litianningdatadog wants to merge 3 commits intomainfrom
Conversation
Adds a dedicated smoke-test script containing a fake AWS access key (AKIAIOSFODNN7EXAMPLE) and fake AWS secret key to verify that the gitleaks Secrets Scan CI job correctly detects and blocks credential- shaped strings committed to a PR. This file is intentionally flagged and must NOT be merged to main. Delete this branch after confirming the CI job fails. See: .github/workflows/secrets-scan.yml (added in PR #1134) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
litianningdatadog
changed the title
There was a problem hiding this comment.
Pull request overview
This PR creates an intentional smoke test for the gitleaks secrets scanning CI job. It adds a shell script containing two well-documented fake AWS credentials from official AWS documentation (AKIAIOSFODNN7EXAMPLE for the access key and wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY for the secret key). The purpose is to verify that the Secrets Scan workflow (introduced in PR #1134) correctly detects and blocks PRs containing credential-shaped strings. The PR is explicitly marked "DO NOT MERGE" and describes a workflow of deleting the test branch after confirming the CI job fails as expected.
Changes:
- Creates
integration-tests/gitleaks-smoke-test.shcontaining fake AWS credentials to test gitleaks detection - Includes clear documentation explaining the file is a temporary smoke test with references to AWS documentation confirming the credentials are fake
| FAKE_AWS_SECRET="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | ||
|
|
||
| echo "This file is intentionally flagged by gitleaks for smoke-test purposes." | ||
| echo "Key: $FAKE_AWS_KEY" |
There was a problem hiding this comment.
The echo statement on line 20 only prints the AWS key but not the AWS secret. Line 17 defines both FAKE_AWS_SECRET, but only FAKE_AWS_KEY is echoed. For consistency and to verify both credentials are detected by gitleaks, consider also echoing the secret value, or clarify if the secret is only being tested through the variable assignment itself.
| echo "Key: $FAKE_AWS_KEY" | |
| echo "Key: $FAKE_AWS_KEY" | |
| echo "Secret: $FAKE_AWS_SECRET" |
The canonical AWS doc examples (AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI...)
are in gitleaks' internal global allowlist and are not flagged.
Replace with unique fake values that match the AKIA[A-Z0-9]{16} pattern
but are not suppressed, so the Secrets Scan CI job actually triggers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous key AKIAVQD12YX3RSMOKETEST was 22 chars but gitleaks'
aws-access-token rule requires exactly AKIA[A-Z0-9]{16} (20 total).
Use AKIAT3STFAKEKEY12345 which is the correct length.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Human review is not needed as it is to test github scan feature.
Purpose
Do not merge. This is a smoke-test PR to verify that the
Secrets ScanCI job added in #1134 correctly detects and blocks PRs containing credential-shaped strings.What this PR does
Adds
integration-tests/gitleaks-smoke-test.shcontaining:AKIA[A-Z0-9]{16}pattern (AKIAIOSFODNN7EXAMPLE)aws-secret-access-keyruleBoth values are from official AWS documentation and are not real credentials.
Expected outcome
The
Secrets Scanjob should fail with findings for both fake keys, demonstrating the scanner is working correctly.After verification
Secrets Scanjob fails with gitleaks findingsRelated
Secrets Scanworkflow and.gitleaks.toml🤖 Generated with Claude Code