# Gitleaks Balanced Configuration
# Production-ready configuration balancing security and developer experience
# Use for: Most production repositories

title = "Gitleaks Balanced Configuration"

[extend]
# Extend default Gitleaks rules
useDefault = true

[allowlist]
description = "Balanced allowlist for common false positives"

# Standard non-production paths
paths = [
  '''test/.*''',
  '''tests/.*''',
  '''.*/fixtures/.*''',
  '''.*/testdata/.*''',
  '''spec/.*''',
  '''examples?/.*''',
  '''docs?/.*''',
  '''\.md$''',
  '''\.rst$''',
  '''\.txt$''',
  '''node_modules/.*''',
  '''vendor/.*''',
  '''third[_-]party/.*''',
  '''\.min\.js$''',
  '''\.min\.css$''',
  '''dist/.*''',
  '''build/.*''',
  '''target/.*''',
  '''.*/mocks?/.*''',
]

# Common placeholder patterns
stopwords = [
  "example",
  "placeholder",
  "your_api_key_here",
  "your_key_here",
  "your_secret_here",
  "replace_me",
  "replaceme",
  "changeme",
  "change_me",
  "insert_key_here",
  "xxxxxx",
  "000000",
  "123456",
  "abcdef",
  "sample",
  "dummy",
  "fake",
  "test_key",
  "test_secret",
  "test_password",
  "test_token",
  "mock",
  "TODO",
]

# Public non-secrets
regexes = [
  '''-----BEGIN CERTIFICATE-----''',
  '''-----BEGIN PUBLIC KEY-----''',
  '''data:image/[^;]+;base64,''',
  '''[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''',  # UUID
]

# Manually verified false positives (add with comments)
commits = []

# Custom rules for organization-specific patterns can be added below

# Example: Allowlist template files
# [[rules]]
# id = "generic-api-key"
# [rules.allowlist]
# paths = ['''config/.*\.template$''', '''config/.*\.example$''']