45 lines
1.0 KiB
TOML
45 lines
1.0 KiB
TOML
# .gitleaks.toml
|
|
title = "gitleaks config"
|
|
|
|
[extend]
|
|
# extend the default ruleset rather than replacing it
|
|
useDefault = true
|
|
|
|
[allowlist]
|
|
description = "Global allowlist"
|
|
paths = [
|
|
# lock files often contain hashes that trip up gitleaks
|
|
'''flake\.lock''',
|
|
'''package-lock\.json''',
|
|
'''yarn\.lock''',
|
|
'''bun\.lockb''',
|
|
]
|
|
regexes = [
|
|
# nix store hashes
|
|
'''/nix/store/[a-z0-9]{32}-''',
|
|
]
|
|
|
|
[[rules]]
|
|
id = "generic-api-key-extended"
|
|
description = "Extended generic API key detection"
|
|
regex = '''(?i)(api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\s*[:=]\s*['"]?[a-zA-Z0-9_\-]{16,}['"]?'''
|
|
entropy = 3.5
|
|
tags = ["api", "key", "token"]
|
|
|
|
[[rules]]
|
|
id = "private-key-file"
|
|
description = "Private key files"
|
|
regex = '''-----BEGIN (RSA|EC|DSA|OPENSSH|PGP) PRIVATE KEY'''
|
|
tags = ["key", "private"]
|
|
|
|
[[rules]]
|
|
id = "environment-file"
|
|
description = "Committed .env files"
|
|
path = '''(^|/)\.env(\.[a-z]+)?$'''
|
|
regex = '''.+'''
|
|
tags = ["env"]
|
|
[rules.allowlist]
|
|
paths = [
|
|
# allow .env.example and .env.template
|
|
'''\.env\.(example|template|sample)$''',
|
|
] |