| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 |
- title = "Bambuddy gitleaks config"
- # Extend the built-in ruleset instead of replacing it.
- [extend]
- useDefault = true
- # ── Custom rules ─────────────────────────────────────────────────────────
- # Flag credentials embedded in URL userinfo, e.g.
- # http://USERNAME:PASSWORD@host/
- # gitleaks' default ruleset does not catch these because plain alphanumeric
- # passwords have no recognisable signature — only the URL structure does.
- [[rules]]
- id = "basic-auth-url"
- description = "Credentials in HTTP(S) URL userinfo"
- regex = '''https?://[^:/\s@]+:[^@/\s]{4,}@'''
- tags = ["credentials", "url"]
- [rules.allowlist]
- # Skip well-known dummy/example creds that legitimately appear in docs
- # and test fixtures, and template-literal interpolations in source code
- # (e.g. `http://${user}:${password}@...` — not an actual credential).
- regexes = [
- '''https?://user:pass(word)?@''',
- '''https?://admin:admin@''',
- '''https?://test:test@''',
- '''https?://example:example@''',
- '''https?://foo:bar@''',
- '''https?://[^:]+:password@''',
- '''https?://[^:]+:secret@''',
- # JS template literal http://${user}:${password}@
- '''https?://\$\{[^}]+\}:\$\{[^}]+\}@''',
- # Python f-string http://{username}:{password}@
- '''https?://\{[^}]+\}:\{[^}]+\}@''',
- ]
- # ── Global allowlist ─────────────────────────────────────────────────────
- [allowlist]
- description = "Global paths and patterns that never contain real secrets"
- paths = [
- '''(.*?)(png|jpg|jpeg|gif|svg|ico|webp|pdf)$''',
- '''frontend/dist/.*''',
- '''frontend/node_modules/.*''',
- '''backend/tests/fixtures/.*''',
- '''static/assets/.*''', # bundled frontend build output (minified JS/CSS)
- # Historical log file (deleted in working tree, still in git history).
- # Credentials inside have been rotated; allowlisted to keep future scans
- # from re-surfacing them as noise.
- '''bambutrack\.log\.1$''',
- ]
|
