Pact Foundation

So, we have <https://github.com/gitleaks/gitleaks|GitLeaks> set up as part of our Azure DevOps pipeline, and we install the Pact Broker CLI using `curl -fsSL <https://raw.githubusercontent.com/pact-foundation/pact-ruby-standalone/master/install.sh> | PACT_CLI_VERSION=v2.4.6 bash`.

When GitLeaks then scans the repo, it triggers this:
```/usr/bin/bash /agent/_work/_temp/64f3718d-50e0-498e-a427-dfbbce7600e3.sh

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

Finding:     #   uri.password = "V3ry_S3nsit1ve"
Secret:      V3ry_S3nsit1ve
RuleID:      generic-api-key
Entropy:     3.664498
File:        pact/lib/ruby/lib/ruby/3.3.0/uri/generic.rb
Line:        495
Fingerprint: pact/lib/ruby/lib/ruby/3.3.0/uri/generic.rb:generic-api-key:495```
For now, we addressed this by adding the fingerprint to a `.gitleaksignore`, but I don't think that's the right solution. Is this something that needs to / should be addressed in an upcoming Pact CLI tools release? Or is this part of Traveling Ruby?

i think gitleaks needs fixing ;)

<https://github.com/ruby/uri/blob/ab8ee6f0a346c204b8b5f3885a67a06c8f40c49f/lib/uri/generic.rb#L495|https://github.com/ruby/uri/blob/ab8ee6f0a346c204b8b5f3885a67a06c8f40c49f/lib/uri/generic.rb#L495>

ps. I am generally disappointed with security scanning tools and the false positives they provide which ultimately wastes peoples time and erodes peoples confidence ( users and maintainers )

Wasn't my decision to add it, and you're right about the false positives. Thanks for looking into it, though, appreciate it as always

Pleasure! and not saying having them in place is a bad thing, just being prepared to try and disprove the tool first has certainly helped weed out some misnomers.

might be worth raising an issue on gitleaks repo as they might be able to avoid it being picked up ( you may want comment scanning in case someone has slipped a key in there, so maybe they want a general exclusion list for known false positives like a gitleaksignore file but held centrally rather than each user needing to add to their own - i imagine this may catch others not just using pact)

Yeah was thinking about raising that, too, but the amount of recent open PRs and issues isn't very promising. Anyway, enough about GitLeaks I think, back to Pact :wink: