|
|
@@ -18,7 +18,8 @@ tags = ["credentials", "url"]
|
|
|
|
|
|
[rules.allowlist]
|
|
|
# Skip well-known dummy/example creds that legitimately appear in docs
|
|
|
-# and test fixtures. Extend as new false positives show up.
|
|
|
+# and test fixtures, and template-literal interpolations in source code
|
|
|
+# (e.g. `http://${user}:${password}@...` — not an actual credential).
|
|
|
regexes = [
|
|
|
'''https?://user:pass(word)?@''',
|
|
|
'''https?://admin:admin@''',
|
|
|
@@ -27,6 +28,10 @@ regexes = [
|
|
|
'''https?://foo:bar@''',
|
|
|
'''https?://[^:]+:password@''',
|
|
|
'''https?://[^:]+:secret@''',
|
|
|
+ # JS template literal http://${user}:${password}@
|
|
|
+ '''https?://\$\{[^}]+\}:\$\{[^}]+\}@''',
|
|
|
+ # Python f-string http://{username}:{password}@
|
|
|
+ '''https?://\{[^}]+\}:\{[^}]+\}@''',
|
|
|
]
|
|
|
|
|
|
# ── Global allowlist ─────────────────────────────────────────────────────
|
|
|
@@ -39,4 +44,8 @@ paths = [
|
|
|
'''frontend/node_modules/.*''',
|
|
|
'''backend/tests/fixtures/.*''',
|
|
|
'''static/assets/.*''', # bundled frontend build output (minified JS/CSS)
|
|
|
+ # Historical log file (deleted in working tree, still in git history).
|
|
|
+ # Credentials inside have been rotated; allowlisted to keep future scans
|
|
|
+ # from re-surfacing them as noise.
|
|
|
+ '''bambutrack\.log\.1$''',
|
|
|
]
|
maziggy