Skip to content

Add secret exception for trufflehog scan #13581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
janjust merged 1 commit into from
Jan 30, 2026
Merged

Add secret exception for trufflehog scan #13581

janjust merged 1 commit into from
Jan 30, 2026
+9 −0

Conversation

@celermajer
Copy link
Collaborator

@celermajer celermajer commented Dec 17, 2025
edited
Loading

Add secret exception for security scan

This PR adds an allowlist configuration to exclude a false positive detection of a test private key in the libevent library.

Background

Security scanning tools may flag a test private key in 3rd-party/libevent-2.1.12-stable.tar.gz. This is a known false positive for the following reasons:

  • The file is part of the libevent test suite (test/regress_ssl.c)
  • The file is never compiled or executed in Open MPI's build

Changes

  • Added .nspect-allowlist.toml configuration file
  • Configured exception for the test private key in the libevent tarball

jsquyres
jsquyres previously approved these changes Dec 17, 2025
View reviewed changes
Copy link
Member

@jsquyres jsquyres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirm that a secret key exists in the libevent-2.1.12-stable.tar.gz tarball, in the test/regress_ssl.c file. Thanks for adding this trufflehog exception!

Do you need this exception file cherry-picked to any of the release branches? (v4.1.x, v5.0.x, v6.0.x) If so, feel free to make cherry-pick PRs.

@jsquyres jsquyres requested a review from janjust December 17, 2025 14:36
@jsquyres
Copy link
Member

jsquyres commented Dec 17, 2025

There's something very odd about the branch on this PR -- it seems to be branched from a very, very old state of the Open MPI repository. The docs CI build is failing because it can't find the docs config files, for example.

Can you base your branch off something much more recent / closer to the tip of this repository's main branch?

janjust
janjust previously approved these changes Jan 27, 2026
View reviewed changes
@celermajer celermajer force-pushed the Add_secret_allowlist_for_trufflehog branch from e40bd83 to 55c8c33 Compare January 28, 2026 12:45
@celermajer
Copy link
Collaborator Author

celermajer commented Jan 28, 2026

There's something very odd about the branch on this PR -- it seems to be branched from a very, very old state of the Open MPI repository. The docs CI build is failing because it can't find the docs config files, for example.

Can you base your branch off something much more recent / closer to the tip of this repository's main branch?

@jsquyres Thanks for the review!

I've rebased the branch on the latest main to fix the CI issues.

For the release branches - yes, I can create cherry-pick PRs for v4.1.x, v5.0.x, and v6.0.x once this is merged.

jsquyres
jsquyres reviewed Jan 28, 2026
View reviewed changes
.nspect-allowlist.toml Outdated
Comment on lines 7 to 9
[[pulse-trufflehog.files.secrets]]
type = "PrivateKey"
values = [ "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAtK07Ili0dkJb79m/" ]
Copy link
Member

@jsquyres jsquyres Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: is there a reason this is indented and the previous entry is not?

Copy link
Collaborator Author

@celermajer celermajer Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! I removed the indentation

.nspect-allowlist.toml Outdated
[[pulse-trufflehog.files.secrets]]
type = "PrivateKey"
values = [ "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAtK07Ili0dkJb79m/" ]

Copy link
Member

@jsquyres jsquyres Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: blank line at end of file.

Copy link
Collaborator Author

@celermajer celermajer Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

@celermajer celermajer dismissed stale reviews from jsquyres and janjust via aa18e69 January 28, 2026 13:30
@github-actions
Copy link

github-actions bot commented Jan 28, 2026

Hello! The Git Commit Checker CI bot found a few problems with this PR:

aa18e69: .nspect-allowlist.toml remove useless blank line

  • check_signed_off: does not contain a valid Signed-off-by line

Please fix these problems and, if necessary, force-push new commits back up to the PR branch. Thanks!

@github-actions
Copy link

github-actions bot commented Jan 28, 2026

Hello! The Git Commit Checker CI bot found a few problems with this PR:

e53cd30: Fix formatting of secrets entry in allowlist

  • check_signed_off: does not contain a valid Signed-off-by line

aa18e69: .nspect-allowlist.toml remove useless blank line

  • check_signed_off: does not contain a valid Signed-off-by line

Please fix these problems and, if necessary, force-push new commits back up to the PR branch. Thanks!

@janjust
Add secret exception for trufflehog scan
710b3ff 
This PR adds an allowlist configuration to exclude a false positive
detection of a test private key in the libevent library.

The file is part of the libevent test suite and is not a real secret.

Signed-off-by: Arnaud Celermajer <[email protected]>
@janjust janjust force-pushed the Add_secret_allowlist_for_trufflehog branch from e53cd30 to 710b3ff Compare January 28, 2026 20:25
@janjust janjust merged commit 253c8e7 into open-mpi:main Jan 30, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsquyres jsquyres jsquyres left review comments

@janjust janjust janjust approved these changes

Assignees

No one assigned

Labels

Target: main

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@celermajer @jsquyres @janjust