49 lines
1.2 KiB
TOML
49 lines
1.2 KiB
TOML
# Gitleaks Strict Configuration
|
|
# High-sensitivity detection with minimal allowlisting
|
|
# Use for: Security-critical repositories, financial services, healthcare
|
|
|
|
title = "Gitleaks Strict Configuration"
|
|
|
|
[extend]
|
|
# Use all default Gitleaks rules
|
|
useDefault = true
|
|
|
|
[allowlist]
|
|
description = "Minimal allowlist - only proven false positives"
|
|
|
|
# Only allow in build artifacts and dependencies
|
|
paths = [
|
|
'''node_modules/.*''',
|
|
'''vendor/.*''',
|
|
'''\.min\.js$''',
|
|
'''\.min\.css$''',
|
|
]
|
|
|
|
# Only obvious non-secret patterns
|
|
stopwords = [
|
|
"EXAMPLE_DO_NOT_USE",
|
|
"PLACEHOLDER_REPLACE_ME",
|
|
]
|
|
|
|
# All commits must be manually verified before allowlisting
|
|
commits = []
|
|
|
|
# Additional strict rules for high-value targets
|
|
|
|
[[rules]]
|
|
id = "strict-env-file"
|
|
description = "Detect any .env files (should not be in repo)"
|
|
regex = '''.*'''
|
|
path = '''\.env$'''
|
|
tags = ["env-file", "strict"]
|
|
|
|
[[rules]]
|
|
id = "strict-config-secrets"
|
|
description = "Config files with potential secrets"
|
|
regex = '''(?i)(password|secret|key|token|credential)[\s]*[=:][\s]*['"]?([a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]{8,})['"]?'''
|
|
secretGroup = 2
|
|
tags = ["config", "strict"]
|
|
[rules.allowlist]
|
|
paths = ['''test/.*''']
|
|
stopwords = ["EXAMPLE"]
|