Initial commit

skills/devsecops/secrets-gitleaks/assets/config-strict.toml

@@ -0,0 +1,48 @@
+# Gitleaks Strict Configuration
+# High-sensitivity detection with minimal allowlisting
+# Use for: Security-critical repositories, financial services, healthcare
+
+title = "Gitleaks Strict Configuration"
+
+[extend]
+# Use all default Gitleaks rules
+useDefault = true
+
+[allowlist]
+description = "Minimal allowlist - only proven false positives"
+
+# Only allow in build artifacts and dependencies
+paths = [
+  '''node_modules/.*''',
+  '''vendor/.*''',
+  '''\.min\.js$''',
+  '''\.min\.css$''',
+]
+
+# Only obvious non-secret patterns
+stopwords = [
+  "EXAMPLE_DO_NOT_USE",
+  "PLACEHOLDER_REPLACE_ME",
+]
+
+# All commits must be manually verified before allowlisting
+commits = []
+
+# Additional strict rules for high-value targets
+
+[[rules]]
+id = "strict-env-file"
+description = "Detect any .env files (should not be in repo)"
+regex = '''.*'''
+path = '''\.env$'''
+tags = ["env-file", "strict"]
+
+[[rules]]
+id = "strict-config-secrets"
+description = "Config files with potential secrets"
+regex = '''(?i)(password|secret|key|token|credential)[\s]*[=:][\s]*['"]?([a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]{8,})['"]?'''
+secretGroup = 2
+tags = ["config", "strict"]
+[rules.allowlist]
+paths = ['''test/.*''']
+stopwords = ["EXAMPLE"]