fix: resolve gitleaks false positives with explicit config and baseline

The gitleaks action was still flagging placeholder API key examples
despite having them in the allowlist. This fix addresses the root causes:

1. Add explicit GITLEAKS_CONFIG environment variable to workflow to
   ensure the config file is loaded by gitleaks-action v2

2. Add GITLEAKS_BASELINE_PATH to use the baseline ignore file

3. Add secretGroup = 2 to the generic-secret rule to extract just the
   secret value (not the full match including KEY=), allowing the
   existing allowlist regexes like 'your-.*-key-here' to work properly

4. Create .gitleaksignore baseline file with specific fingerprints for
   known false positives in historical commits

5. Update .gitignore to track .gitleaksignore file

6. Add .gitleaksignore to file-whitelist-check scripts in both
   .github/scripts/ and .pre-commit-hooks/

.github/scripts/file-whitelist-check.sh

@@ -32,6 +32,7 @@ ALLOWED_PATTERNS=(
 "^\.coveragerc$"
 "^\.secrets\.baseline$"
 "^\.gitleaks\.toml$"
+"^\.gitleaksignore$"
 "^pytest\.ini$"
 "^LICENSE$"
 "^README$"

.github/workflows/gitleaks.yml

@@ -39,3 +39,5 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GITHUB_USERNAME: ${{ github.actor }}
         GITHUB_REPOSITORY: ${{ github.repository }}
+        GITLEAKS_CONFIG: .gitleaks.toml
+        GITLEAKS_BASELINE_PATH: .gitleaksignore

.gitignore

@@ -68,6 +68,7 @@
 .*/
 !.github/
 !.github/**
+!.gitleaksignore
 
 # Allow installer files only in installers directory
 !installers/**/*.bat

.gitleaks.toml

@@ -56,7 +56,8 @@ keywords = ["BEGIN PRIVATE KEY", "BEGIN RSA PRIVATE KEY", "BEGIN OPENSSH PRIVATE
 [[rules]]
 description = "Generic secret/password pattern"
 id = "generic-secret"
-regex = '''(?i)(password|secret|token|key)\s*[:=]\s*['"]?[a-zA-Z0-9_\-@#$%^&*]{8,}['"]?'''
+regex = '''(?i)(password|secret|token|key)\s*[:=]\s*['"]?([a-zA-Z0-9_\-@#$%^&*]{8,})['"]?'''
+secretGroup = 2
 keywords = ["password", "secret", "token", "key"]
 
 # Allowlist - exclude common false positives

.gitleaksignore

@@ -0,0 +1,16 @@
+# Gitleaks Baseline - Known False Positives
+# This file contains fingerprints of known false positives that should be ignored.
+# Format: commit:file:rule:line
+
+# README.md placeholder API key examples (not actual secrets)
+# These are documentation examples showing users how to set environment variables
+792da694efe22304469ec22ff46201080791e3a6:README.md:generic-secret:61
+792da694efe22304469ec22ff46201080791e3a6:README.md:generic-secret:62
+27539371e7d2b2b6edb63bc238a6c0347fafef0c:README.md:generic-secret:61
+27539371e7d2b2b6edb63bc238a6c0347fafef0c:README.md:generic-secret:62
+
+# .env.template placeholder values (not actual secrets)
+# Template files showing users what environment variables to set
+02042634506c377e86161cc2ce038eb8c19f10f3:.env.template:generic-secret:2
+02042634506c377e86161cc2ce038eb8c19f10f3:.env.template:generic-secret:4
+02042634506c377e86161cc2ce038eb8c19f10f3:.env.template:generic-secret:5

.pre-commit-hooks/file-whitelist-check.sh

@@ -30,6 +30,7 @@ ALLOWED_PATTERNS=(
   "^\.coveragerc$"
   "^\.secrets\.baseline$"
   "^\.gitleaks\.toml$"
+  "^\.gitleaksignore$"
   "^\.semgrepignore$"
   "^\.trivyignore$"
   "\.semgrep/.*\.yml$"