LeakIX source experiencing intermittent test failures in CI

[Jigardjain]

Problem Description

The LeakIX passive subdomain source is experiencing intermittent test failures in CI/CD pipelines, similar to other sources that have been added to the ignoredSources list in the test suite.

Current Status

LeakIX is currently not in the ignoredSources list in pkg/passive/sources_wo_auth_test.go, which causes test runs to fail when the API is unavailable or rate-limited.

Root Causes

Based on the LeakIX API documentation and behavior observed in other sources, the likely causes are:

1. Rate Limiting: The LeakIX API enforces strict rate limiting at ~1 request per second

   • Returns HTTP 429 status code when exceeded
   • Requires waiting for the duration specified in the x-limited-for header

2. IP-based Restrictions: GitHub Actions runner IPs may be blocked or throttled by LeakIX's infrastructure

3. Service Availability: The API may experience random outages or degraded performance

Evidence

The LeakIX source is listed in test expectations:

• Line 56 in pkg/passive/sources_test.go: expectedAllSources
• Line 101 in pkg/passive/sources_test.go: expectedDefaultSources
• Line 123 in pkg/passive/sources_test.go: expectedDefaultRecursiveSources

But unlike other problematic sources (riddler, hackertarget, waybackarchive, alienvault, digitorus, dnsdumpster, anubis, threatcrowd), it's not in the ignoredSources list.

API Details

According to the LeakIX API documentation:

• Endpoint: GET /api/subdomains/:domain
• Rate limit: ~1 request per second
• Returns HTTP 429 with x-limited-for header when rate limited
• Registered and pro users get more results, which may affect test consistency

Suggested Solution

Add leakix to the ignoredSources list in pkg/passive/sources_wo_auth_test.go (around line 26-37):

```go
ignoredSources := []string{
"commoncrawl",
"riddler",
"crtsh",
"hackertarget",
"waybackarchive",
"alienvault",
"digitorus",
"dnsdumpster",
"anubis",
"threatcrowd",
"leakix", // Add this line
}
```

Alternative Solutions

1. Implement retry logic: Add exponential backoff for 429 responses specifically for LeakIX
2. Mock the API: Create mock responses for CI testing
3. Conditional testing: Only run LeakIX tests when a specific environment variable is set

Related Issues

This follows the pattern of other sources that were moved to ignoredSources:

• Similar to hackertarget: "Fails in GH Action (possibly IP-based ban)"
• Similar to waybackarchive: "Fails randomly"
• Similar to crtsh: "Fails in GH Action (possibly IP-based ban) causing a timeout"

---

Impact: Low - The source works correctly in production, only affects CI test reliability
Priority: Medium - Improves test suite stability and reduces false negatives

[PontusLindblom]

When running the tests in .\pkg\passive, I get the following:
"[DBG] Cannot use the leakix source because there was no API key/secret defined for it.
[DBG] Response for failed request against https://leakix.net/api/subdomains/hackerone.com:
"Incorrect API Key""

Leakix appears to require API keys as of recently, which makes OptionalKey not work. There is a PR that fixes this problem: #1709