title = "Bambuddy gitleaks config"

# Extend the built-in ruleset instead of replacing it.
[extend]
useDefault = true

# ── Custom rules ─────────────────────────────────────────────────────────

# Flag credentials embedded in URL userinfo, e.g.
#   http://USERNAME:PASSWORD@host/
# gitleaks' default ruleset does not catch these because plain alphanumeric
# passwords have no recognisable signature — only the URL structure does.
[[rules]]
id = "basic-auth-url"
description = "Credentials in HTTP(S) URL userinfo"
regex = '''https?://[^:/\s@]+:[^@/\s]{4,}@'''
tags = ["credentials", "url"]

[rules.allowlist]
# Skip well-known dummy/example creds that legitimately appear in docs
# and test fixtures. Extend as new false positives show up.
regexes = [
    '''https?://user:pass(word)?@''',
    '''https?://admin:admin@''',
    '''https?://test:test@''',
    '''https?://example:example@''',
    '''https?://foo:bar@''',
    '''https?://[^:]+:password@''',
    '''https?://[^:]+:secret@''',
]

# ── Global allowlist ─────────────────────────────────────────────────────

[allowlist]
description = "Global paths and patterns that never contain real secrets"
paths = [
    '''(.*?)(png|jpg|jpeg|gif|svg|ico|webp|pdf)$''',
    '''frontend/dist/.*''',
    '''frontend/node_modules/.*''',
    '''backend/tests/fixtures/.*''',
    '''static/assets/.*''',   # bundled frontend build output (minified JS/CSS)
]