Improve gitleaks go h1 hashes detection (#66)

himax1991 · himax1991 · commit 44549857638c · 2026-03-27T19:33:50.000+03:00
Improve gitleaks go h1 hashes detection --------- Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com> (cherry picked from commit 149c6c0)
diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml
@@ -1,6 +1,6 @@
 # Centralized Gitleaks configuration for all Deckhouse repositories
 # This file is distributed via modules-actions/gitleaks action
-# 
+#
 # Repositories can extend this config by creating local .gitleaks.toml:
 #   [extend]
 #   useDefault = false
@@ -13,14 +13,16 @@ useDefault = true
 # Global allowlists
 [allowlist]
 
+regexTarget = "line"
+
 # === Safe files/directories ===
 # NOTE: Use exact paths, NOT glob patterns like **/go.mod
 
 paths = [
     # Go dependencies - public hashes
     "go.mod",
     "go.sum",
-    
+
     # Specific files with known false positives
     # "modules/101-cert-manager/docs/USAGE.md",
     # "modules/101-cert-manager/docs/USAGE_RU.md",
@@ -29,11 +31,8 @@ paths = [
 # === Safe patterns ===
 regexes = [
     # Go module checksums - always public
-    '''h1:[A-Za-z0-9+/=]{40,}''',
-    
-    # Public certificates (only ca.crt, NOT private keys!)
-    '''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''',
-    
+    '''h1:[A-Za-z0-9+/=]{12,}''',
+
     # AWS Example values from official documentation - exact match
     '''AKIAIOSFODNN7EXAMPLE''',
     '''wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY''',
