| 123456789101112131415161718192021222324252627282930313233343536373839404142 |
- title = "Bambuddy gitleaks config"
- # Extend the built-in ruleset instead of replacing it.
- [extend]
- useDefault = true
- # ── Custom rules ─────────────────────────────────────────────────────────
- # Flag credentials embedded in URL userinfo, e.g.
- # http://USERNAME:PASSWORD@host/
- # gitleaks' default ruleset does not catch these because plain alphanumeric
- # passwords have no recognisable signature — only the URL structure does.
- [[rules]]
- id = "basic-auth-url"
- description = "Credentials in HTTP(S) URL userinfo"
- regex = '''https?://[^:/\s@]+:[^@/\s]{4,}@'''
- tags = ["credentials", "url"]
- [rules.allowlist]
- # Skip well-known dummy/example creds that legitimately appear in docs
- # and test fixtures. Extend as new false positives show up.
- regexes = [
- '''https?://user:pass(word)?@''',
- '''https?://admin:admin@''',
- '''https?://test:test@''',
- '''https?://example:example@''',
- '''https?://foo:bar@''',
- '''https?://[^:]+:password@''',
- '''https?://[^:]+:secret@''',
- ]
- # ── Global allowlist ─────────────────────────────────────────────────────
- [allowlist]
- description = "Global paths and patterns that never contain real secrets"
- paths = [
- '''(.*?)(png|jpg|jpeg|gif|svg|ico|webp|pdf)$''',
- '''frontend/dist/.*''',
- '''frontend/node_modules/.*''',
- '''backend/tests/fixtures/.*''',
- '''static/assets/.*''', # bundled frontend build output (minified JS/CSS)
- ]
|
