# Gitleaks Strict Configuration
# High-sensitivity detection with minimal allowlisting
# Use for: Security-critical repositories, financial services, healthcare

title = "Gitleaks Strict Configuration"

[extend]
# Use all default Gitleaks rules
useDefault = true

[allowlist]
description = "Minimal allowlist - only proven false positives"

# Only allow in build artifacts and dependencies
paths = [
  '''node_modules/.*''',
  '''vendor/.*''',
  '''\.min\.js$''',
  '''\.min\.css$''',
]

# Only obvious non-secret patterns
stopwords = [
  "EXAMPLE_DO_NOT_USE",
  "PLACEHOLDER_REPLACE_ME",
]

# All commits must be manually verified before allowlisting
commits = []

# Additional strict rules for high-value targets

[[rules]]
id = "strict-env-file"
description = "Detect any .env files (should not be in repo)"
regex = '''.*'''
path = '''\.env$'''
tags = ["env-file", "strict"]

[[rules]]
id = "strict-config-secrets"
description = "Config files with potential secrets"
regex = '''(?i)(password|secret|key|token|credential)[\s]*[=:][\s]*['"]?([a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]{8,})['"]?'''
secretGroup = 2
tags = ["config", "strict"]
[rules.allowlist]
paths = ['''test/.*''']
stopwords = ["EXAMPLE"]