chore: sync security config files (#1169)

* chore: sync semgrep.yaml from security-config

* chore: sync .gitleaksignore from security-config

* chore: add inheritance: true, keep only repo-specific overrides

* chore: exclude semgrep.yaml from detect-secrets

* chore: sync .gitleaksignore from security-config

* chore: sync .gitleaks.toml from security-config

* chore: sync .gitleaks.toml from security-config

---------

Co-authored-by: security-config-sync[bot] <265242129+security-config-sync[bot]@users.noreply.github.com>
Co-authored-by: Ugo Giordano <ugiordan@redhat.com>
Co-authored-by: Debarati Basu-Nag <dbasunag@redhat.com>

Author: 3 people

.coderabbit.yaml

@@ -1,111 +1,57 @@
-language: en-US
-tone_instructions: ''
-early_access: false
-enable_free_tier: true
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+# Inherits from org-wide config: https://github.com/opendatahub-io/coderabbit
+# Only overrides listed below differ from the org baseline.
+
+inheritance: true
+
 reviews:
-  profile: chill
-  request_changes_workflow: false
-  high_level_summary: true
-  high_level_summary_placeholder: '@coderabbitai summary'
-  high_level_summary_in_walkthrough: false
-  auto_title_placeholder: '@coderabbitai'
-  auto_title_instructions: ''
   review_status: false
-  commit_status: true
-  fail_commit_status: false
-  collapse_walkthrough: true
   changed_files_summary: true
-  sequence_diagrams: false
-  assess_linked_issues: true
-  related_issues: true
-  related_prs: true
   suggested_labels: true
-  auto_apply_labels: false
   suggested_reviewers: true
-  auto_assign_reviewers: false
-  poem: false
-  labeling_instructions: []
-  path_filters: ["!.github/**"]
-  path_instructions: []
-  abort_on_close: true
-  disable_cache: false
-  auto_review:
-    enabled: true
-    auto_incremental_review: true
-    ignore_title_keywords: ['wip', 'do not merge', 'do not review',
-                            'lock file maintenance', 'pre-commit autoupdate']
-    labels: []
-    drafts: false
-    base_branches: []
+  related_issues: true
+  related_prs: true
+
+  path_filters:
+    - "!.github/**"
+
   finishing_touches:
     docstrings:
       enabled: true
     unit_tests:
       enabled: true
+
+  auto_review:
+    ignore_title_keywords:
+      - "wip"
+      - "do not merge"
+      - "do not review"
+      - "lock file maintenance"
+      - "pre-commit autoupdate"
+
   tools:
-    ast-grep:
-      rule_dirs: []
-      util_dirs: []
-      essential_rules: true
-      packages: []
-    shellcheck:
-      enabled: true
-    ruff:
-      enabled: true
-    markdownlint:
-      enabled: true
-    github-checks:
-      enabled: true
-      timeout_ms: 90000
     languagetool:
       enabled: true
-      enabled_rules: []
-      disabled_rules: []
-      enabled_categories: []
-      disabled_categories: []
-      enabled_only: false
-      level: default
     biome:
       enabled: true
-    hadolint:
-      enabled: true
     swiftlint:
       enabled: true
     phpstan:
       enabled: true
-      level: default
-    golangci-lint:
-      enabled: true
-    yamllint:
-      enabled: true
-    gitleaks:
-      enabled: true
-    checkov:
-      enabled: true
     detekt:
       enabled: true
-    eslint:
-      enabled: true
     rubocop:
       enabled: true
     buf:
       enabled: true
     regal:
       enabled: true
-    actionlint:
-      enabled: true
     pmd:
       enabled: true
-    cppcheck:
-      enabled: true
-    semgrep:
-      enabled: true
     circleci:
       enabled: true
     clippy:
       enabled: true
-    sqlfluff:
-      enabled: true
     prismaLint:
       enabled: true
     pylint:
@@ -120,32 +66,12 @@ reviews:
       enabled: true
     dotenvLint:
       enabled: true
+
 chat:
   auto_reply: true
-  integrations:
-    jira:
-      usage: auto
-    linear:
-      usage: auto
+
 knowledge_base:
-  opt_out: false
   web_search:
     enabled: true
-  learnings:
-    scope: auto
-  issues:
-    scope: auto
-  jira:
-    usage: auto
-    project_keys: []
-  linear:
-    usage: auto
-    team_keys: []
   pull_requests:
     scope: auto
-code_generation:
-  docstrings:
-    language: en-US
-    path_instructions: []
-  unit_tests:
-    path_instructions: []

.gitleaks.toml

@@ -0,0 +1,57 @@
+# Gitleaks configuration for opendatahub-io repos
+# Synced from security-config. Do not edit in target repos.
+#
+# Path allowlists use Go regex syntax.
+# Real credentials should NEVER be committed to any repository.
+
+[extend]
+  useDefault = true
+
+[allowlist]
+  description = "Exclude test fixtures, mock data, sample configs, and CI resources"
+  paths = [
+    # Go testdata directories
+    '''testdata/''',
+
+    # Python test data directories
+    '''test_data/''',
+
+    # Test fixtures
+    '''fixtures/''',
+
+    # JavaScript/TypeScript mocks
+    '''__mocks__/''',
+
+    # Go/Java/TS mock directories
+    '''mocks/''',
+    '''k8mocks/''',
+
+    # Sample and example configs with placeholder credentials
+    '''docs/samples/''',
+    '''config/samples/''',
+    '''config/overlays/test/''',
+
+    # CI/GitHub Actions test resources
+    '''\.github/resources/''',
+
+    # E2E test credentials
+    '''test/e2e/credentials/''',
+    '''tests/e2e/credentials/''',
+
+    # OpenShift CI sample resources
+    '''openshift-ci/resources/samples/''',
+
+    # Cypress test data
+    '''cypress/fixtures/''',
+    '''cypress/tests/mocked/''',
+
+    # Test certificate and key files
+    '''tests/data/.*\.(pem|crt|key)$''',
+  ]
+
+  # Known test/placeholder credentials used in documentation and tests
+  regexes = [
+    '''database-password\s*:\s*"?(The)?BlurstOfTimes"?''',
+    '''database-user\s*:\s*"?mlmduser"?''',
+    '''database-user\s*:\s*"?modelregistryuser"?''',
+  ]

.gitleaksignore

@@ -0,0 +1,5 @@
+# Gitleaks ignore file
+# Add false positive fingerprints below (one per line)
+# Format: commit:file:rule-id:line or file:rule-id:line
+#
+# For path-based exclusions, use .gitleaks.toml allowlist instead.

.pre-commit-config.yaml

@@ -33,7 +33,7 @@ repos:
     rev: v1.5.0
     hooks:
       - id: detect-secrets
-        exclude: .*/__snapshots__/.*|.*-input\.json$
+        exclude: .*/__snapshots__/.*|.*-input\.json$|^semgrep\.yaml$
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: v0.15.4