chore: add gitguardian config to exclude compliance test key fixtures by MichielDean · Pull Request #33 · adcontextprotocol/adcp-sdk-java

MichielDean · 2026-06-19T04:00:23Z

Summary

Add .gitguardian config to suppress false-positive secret detections on the AdCP compliance test vectors.

The test vectors in adcp-server/src/test/resources/compliance/ contain intentionally public test keys with _private_d_for_test_only fields. These ship in the official AdCP spec repo at https://adcontextprotocol.org/compliance/latest/test-vectors/ and are designed for cross-SDK conformance testing. The keys.json files carry explicit _WARNING and $comment banners.

GitGuardian correctly detects these as private key material, but they are false positives — the keys are deliberately public and must not be treated as secrets.

This PR adds a .gitguardian config with paths-ignore for the compliance test fixtures so that PR #32 (Track 4 L1 signing) and future PRs that reference these vectors don't trigger false-positive security alerts.

Note: This needs to be on main before the .gitguardian paths-ignore takes effect for PR checks.

The AdCP compliance test vectors in adcp-server/src/test/resources/compliance/ contain intentionally public test keys with _private_d_for_test_only fields. These are for signer/verifier round-trip conformance testing and MUST NOT be used in production. The keys.json files carry explicit warnings in their _WARNING and fields. GitGuardian correctly detects these as private key material, but they are false positives — the keys are published in the AdCP spec repo at https://adcontextprotocol.org/compliance/latest/test-vectors/ and are intentionally public for cross-SDK conformance testing.

aao-ipr-bot · 2026-06-19T04:00:54Z

⚠️ Argus review could not complete

The automated review encountered an issue (possibly reached max turns, timed out, or failed to post the final gh pr review). A human reviewer should take this PR.

View workflow run

_{This is an automated message from the Argus AI review workflow.}

bokelley

I think this needs another pass before approval.

Findings:

.gitguardian does not configure the GitGuardian GitHub check run this PR is trying to quiet. GitGuardian's local ggshield config is documented as .gitguardian.yaml with version: 2 and secret.ignored_paths; the top-level paths-ignore / matches-ignore shape here is legacy ggshield config, and ggshield ignores are not shared with the GitGuardian dashboard/check-run integration. If the goal is to suppress the GitGuardian Security Checks status, this should be configured via the GitGuardian dashboard filepath exclusion rules, or the repo should add the actual ggshield config only if a local/CI ggshield invocation consumes it.
The ignore patterns point at adcp-server/src/test/resources/compliance/..., but that path does not exist on either origin/main or this PR head. This makes the rule a no-op for the current repository state, even before considering whether GitGuardian will read the file. Please align the exclusion with the actual fixture path when those files are added, or include this config in the same PR that adds the fixtures so the pattern can be reviewed against real files.

One smaller security concern once the path issue is fixed: **/*hmac* is broad for a secret-scan bypass. Prefer excluding exact public test-vector files rather than every future compliance file whose name contains hmac.

aao-ipr-bot · 2026-06-21T18:47:36Z

⚠️ Argus review could not complete

The automated review encountered an issue (possibly reached max turns, timed out, or failed to post the final gh pr review). A human reviewer should take this PR.

View workflow run

_{This is an automated message from the Argus AI review workflow.}

…erns Replace legacy v1 .gitguardian.yml (paths-ignore/matches-ignore) with documented v2 .gitguardian.yaml (version: 2 + secret.ignored_paths), which is what ggshield actually loads (docs.gitguardian.com/ggshield-docs/configuration). Drop the **/*hmac* pattern: no fixture is named *hmac* today, so the rule is a no-op; keeping it would silently exclude unrelated future files whose names happen to contain 'hmac'. Scope ignores to the exact public test-vector key files instead of the compliance/** glob. Note in the file that this configures ggshield (local/CI CLI scans), not the 'GitGuardian Security Checks' GitHub App check-run, which is driven by dashboard filepath exclusion rules and is unaffected by any repo-local config. Supersedes PR #33, which added a duplicate .gitguardian JSON file with the same v1 patterns.

MichielDean · 2026-06-21T18:54:18Z

Closing as duplicate of #32, which now carries a corrected ggshield config.

Review findings on this PR (all confirmed against repo state):

.gitguardian (no extension, JSON, v1 shape) is not a documented ggshield config. ggshield loads .gitguardian.yaml with version: 2 + secret.ignored_paths (docs.gitguardian.com/ggshield-docs/configuration). The v1 paths-ignore/matches-ignore shape here is legacy.
No local config suppresses the GitGuardian Security Checks check-run. That check is driven by the GitGuardian dashboard, not by any repo-local file. Only dashboard filepath exclusion rules affect it. The repo has no ggshield in CI (.github/workflows/ci.yml runs only ./gradlew build) and no .pre-commit-config.yaml, so nothing in this repo consumes a local ggshield config today.
The ignore patterns pointed at adcp-server/src/test/resources/compliance/..., which does not exist on origin/main or this PR head. The fixtures only exist on PR feat(signing): L1 signing — RFC 9421, KMS providers, JWKS, webhook verification #32's branch (feat/l1-signing-track4). This made both rules no-ops against the current repository state.
**/*hmac* is a broad secret-scan bypass. No current fixture is named *hmac* (webhook-signing fixtures are 001-basic-post.json, 002-es256-post.json, etc.), so the pattern matches nothing today and would silently exclude any future file whose name contains 'hmac'.

The fix landed in #32 (commit adcp-sdk-java@4d09593):

Renamed .gitguardian.yml → .gitguardian.yaml (documented filename)
Converted to v2 schema (version: 2 + secret.ignored_paths)
Replaced compliance/**/keys.json glob with the two exact public test-vector paths
Dropped **/*hmac* entirely (nothing to match)
Added a note that the check-run requires dashboard filepath exclusions, not a repo-local file

To actually turn the failing GitGuardian Security Checks green on #32, a workspace admin needs to add filepath exclusions in the GitGuardian dashboard (Secrets Detection → Exclusion rules → Filepath) for the two keys.json paths. The config file documents this and mirrors the paths to use.

MichielDean requested a review from bokelley as a code owner June 19, 2026 04:00

bokelley requested changes Jun 19, 2026

View reviewed changes

Merge branch 'main' into chore/gitguardian-test-key-exclusions

4a86eff

MichielDean closed this Jun 21, 2026

MichielDean mentioned this pull request Jun 21, 2026

feat(signing): L1 signing — RFC 9421, KMS providers, JWKS, webhook verification #32

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: add gitguardian config to exclude compliance test key fixtures#33

chore: add gitguardian config to exclude compliance test key fixtures#33
MichielDean wants to merge 2 commits into
mainfrom
chore/gitguardian-test-key-exclusions

MichielDean commented Jun 19, 2026

Uh oh!

aao-ipr-bot Bot commented Jun 19, 2026

Uh oh!

bokelley left a comment

Uh oh!

aao-ipr-bot Bot commented Jun 21, 2026

Uh oh!

MichielDean commented Jun 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

MichielDean commented Jun 19, 2026

Summary

Uh oh!

aao-ipr-bot Bot commented Jun 19, 2026

Uh oh!

bokelley left a comment

Choose a reason for hiding this comment

Uh oh!

aao-ipr-bot Bot commented Jun 21, 2026

Uh oh!

MichielDean commented Jun 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants