-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgitleaks.toml
More file actions
126 lines (108 loc) · 3.1 KB
/
gitleaks.toml
File metadata and controls
126 lines (108 loc) · 3.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
title = "Gitleaks config for MSDO repos"
description = "Targets JS, Terraform, Python, Cloud configs, AWS and Azure secrets, and Git metadata"
version = "2"
redact = false # Show actual secrets in alerts
[config]
logLevel = "INFO"
# Scan these specific file types
[[config.pathAllowlist]]
description = "Only scan selected file extensions"
regexes = [
".*\\.js$",
".*\\.jsx$",
".*\\.ts$",
".*\\.tsx$",
".*\\.exe$",
".*\\.dll$",
".*\\.py$",
".*\\.tf$",
".*\\.json$",
".*\\.yml$",
".*\\.yaml$",
".*\\.dockerfile$",
".*\\.template$",
".*\\.bicep$"
]
##########################
# Common Secret Rules
##########################
[[rules]]
id = "aws-access-key"
description = "AWS Access Key"
regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
tags = ["AWS", "key"]
[[rules]]
id = "aws-secret-key"
description = "AWS Secret Access Key"
regex = '''(?i)aws(.{0,20})?(secret|access)?(.{0,20})?['\"=:\s]{1,10}[0-9a-zA-Z/+]{40}'''
tags = ["AWS", "secret"]
[[rules]]
id = "azure-client-secret"
description = "Azure Client Secret"
regex = '''(?i)(azure)?.*(client)?.*(secret)[\"'=:\s]{1,10}[0-9a-zA-Z\-_.]{20,100}'''
tags = ["Azure", "secret"]
[[rules]]
id = "azure-storage-key"
description = "Azure Storage Account Key"
regex = '''(?i)(DefaultEndpointsProtocol=.*;AccountName=.*;AccountKey=.*;EndpointSuffix=.*)'''
tags = ["Azure", "storage"]
[[rules]]
id = "terraform-password"
description = "Hardcoded password in Terraform or cloud config"
regex = '''(?i)(administrator_login_password|password)[^=:.]{0,20}[:=][ \t]*["']?[a-z0-9=_\-]{8,45}["']?'''
tags = ["terraform", "password"]
[[rules]]
id = "jwt-token"
description = "JWT Token"
regex = '''\beyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+'''
tags = ["token", "jwt"]
[[rules]]
id = "generic-secret"
description = "Generic token/password/apiKey"
regex = '''(?i)(key|api|token|secret|client|passwd|password|auth|access)[^=:.]{0,20}[:=][ \t]*["']?[a-z0-9-_]{10,150}["']?'''
tags = ["generic", "secret"]
[[rules]]
id = "private-key"
description = "Private Key"
regex = '''-----BEGIN( RSA| DSA| EC)? PRIVATE KEY-----'''
tags = ["key", "private"]
[[rules]]
id = "github-pat"
description = "GitHub Personal Access Token"
regex = '''gh[pousr]_[A-Za-z0-9_]{36}'''
tags = ["github", "token"]
[[rules]]
id = "slack-webhook"
description = "Slack Webhook URL"
regex = '''https://hooks.slack.com/services/T[A-Z0-9]{8}/B[A-Z0-9]{8}/[a-zA-Z0-9]{24}'''
tags = ["slack", "webhook"]
##########################
# Git Metadata Rules
##########################
[[rules]]
id = "git-commit-email"
description = "Exposed Git email in commit"
regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'''
tags = ["git", "email"]
entropy = false
[[rules]]
id = "git-author-name"
description = "Git author name (example detection)"
regex = '''(?i)(author|committer):\s*["']?([a-z0-9_\- ]{3,})["']?'''
tags = ["git", "name"]
entropy = false
##########################
# Allowlist false positives
##########################
[allowlist]
description = "Ignore known non-sensitive files"
files = [
"test/",
"tests/",
"docs/",
".github/",
"README.md"
]
regexes = [
"dummy_[a-zA-Z0-9]{10,}"
]