RCA — gitleaks #2817 #2818 false-positive triage
Incident ID: 2026-05-27-gitleaks-2817-2818 Date: 2026-05-27 Severity: SEV-4 Duration: ~45m (detection → allowlist shipped) Blast radius: Internal only — CI scan noise; no user-facing impact Author: sre-agent
Summary
The nightly gitleaks scan (run 26509102274, 2026-05-27 11:55 UTC) filed two HIGH findings. Both are false positives. Finding #2817 flagged the Cloudflare Account ID in its shell-export form (unquoted TF_VAR_cf_access_account_id=<hex>) inside a Terraform comment block — the existing allowlist regex only covered the quoted Terraform-variable form. Finding #2818 flagged a truncated ellipsis-style example token inside a runbook (docs/ops/runbooks/signup-smoke.md) — the ^docs/ops/[^/]+\.md$ path allowlist only matched files directly under docs/ops/, not one level deeper in runbooks/. Neither value is a real credential; no rotation required.
Timeline (all times UTC)
- 11:55 — Security scan run
26509102274completes; files GH issues #2817 and #2818 - ~12:30 — SRE-agent begins triage
- 12:32 —
git show bca1adede0ed:terraform/cf-access/synthetic_gate_service_token.tfconfirms line 68 isTF_VAR_cf_access_account_id=22b5c35090724fbf05db6d4f501ac821(shell comment, public identifier) - 12:33 —
git show e7234e17f323:docs/ops/runbooks/signup-smoke.mdconfirms line 132 istoken=eyJ2IjoxLCJlbWFp...abc12345(truncated ellipsis placeholder, not a real token) - 12:35 — Root cause identified: two gaps in
.gitleaks.tomlallowlist - 12:40 — Allowlist patched: new regex for unquoted TF_VAR form; new path entry for
^docs/ops/runbooks/[^/]+\.md$ - 12:45 — PR opened; issues closed with explanation
Impact
- Users affected: none
- User-visible symptoms: none
- Data integrity: ok
- Revenue / billing: ok
What went well
- Both existing runbook failure modes (B and D) described exactly this class of bug — diagnosis was immediate
- The prior
regexTarget = "match"entry was already in place; the new regex worked without additional config - No rotation or remediation needed; no operator interruption required
What didn't go well
- The
cf_access_account_idallowlist regex was narrowly written for quoted form only; the shell-export instruction in the same file's comment block was a predictable second match surface - The
^docs/ops/[^/]+\.md$path allowlist has been extended forsre-reports/andtriage/in the past (#2003) but therunbooks/subdirectory — the most natural home for example output — was never added
Root cause analysis
- Contributing factor 1: Allowlist regex gap —
cf_access_account_id\s*=\s*"[0-9a-f]{32}"only matches the Terraform quoted-value assignment. The same value appears one line later in the same file asTF_VAR_cf_access_account_id=22b5c35090724fbf05db6d4f501ac821(unquoted shell export). gitleaks matched the hex string undergeneric-api-keyin both occurrences; the allowlist suppressed neither because the unquoted form doesn't satisfy the regex. - Contributing factor 2: Path allowlist depth mismatch —
^docs/ops/[^/]+\.md$is a glob that matches only the immediate children ofdocs/ops/.docs/ops/runbooks/signup-smoke.mdis one directory level deeper. The pattern was never extended to cover therunbooks/subdirectory even though runbooks are the most likely location for example command output with realistic-looking token fragments.
Detection
- What alerted us: nightly security scan via GH Actions +
security_file_issues.py→ GH issues #2817 #2818 - How long between cause and detection: commit
bca1adedmerged before 2026-05-27 11:55 UTC; detected at scan time (sub-24h) - How to detect faster next time: current pipeline is adequate — detection lag is bounded by the nightly schedule
Resolution
- #2817: Added regex
'''TF_VAR_cf_access_account_id=[0-9a-f]{32}'''to.gitleaks.toml[allowlist]regexesblock. This covers the unquoted shell-export form.regexTarget = "match"already in effect. - #2818: Added path entry
'''^docs/ops/runbooks/[^/]+\.md$'''to.gitleaks.toml[allowlist]pathsblock. This covers all runbook markdown files one level underdocs/ops/runbooks/, matching the existing depth extensions forsre-reports/andtriage/. - Validation: both patterns match the flagged strings. Full-history scan to be run by CI on the PR.
Action items
| # | Action | Owner | Due | Issue |
|---|---|---|---|---|
| 1 | After PR merges, verify full-history gitleaks scan exits 0 in CI | sre-agent | 2026-05-28 | #2817 #2818 |
| 2 | When writing new Terraform pre-apply shell examples, ensure the existing TF_VAR_cf_access_account_id regex covers any future unquoted occurrences |
sre-agent (ongoing) | — | — |
References
- Runbook:
docs/ops/runbooks/gitleaks.md - Related incidents:
docs/incidents/2026-05-01-gitleaks-cf-account-id-false-positive.md - GH issues: #2817, #2818
- Scan run:
26509102274