Last active 1729286975

Revision b81f3584efef19e3caf9025ba8f32748db87e2c4

Gitleaks-readme-10.toml Raw
1# Title for the gitleaks configuration file.
2title = "Gitleaks title"
3
4# Extend the base (this) configuration. When you extend a configuration
5# the base rules take precedence over the extended rules. I.e., if there are
6# duplicate rules in both the base configuration and the extended configuration
7# the base rules will override the extended rules.
8# Another thing to know with extending configurations is you can chain together
9# multiple configuration files to a depth of 2. Allowlist arrays are appended
10# and can contain duplicates.
11# useDefault and path can NOT be used at the same time. Choose one.
12[extend]
13# useDefault will extend the base configuration with the default gitleaks config:
14# https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
15useDefault = true
16# or you can supply a path to a configuration. Path is relative to where gitleaks
17# was invoked, not the location of the base config.
18path = "common_config.toml"
19
20# An array of tables that contain information that define instructions
21# on how to detect secrets
22[[rules]]
23
24# Unique identifier for this rule
25id = "awesome-rule-1"
26
27# Short human readable description of the rule.
28description = "awesome rule 1"
29
30# Golang regular expression used to detect secrets. Note Golang's regex engine
31# does not support lookaheads.
32regex = '''one-go-style-regex-for-this-rule'''
33
34# Int used to extract secret from regex match and used as the group that will have
35# its entropy checked if `entropy` is set.
36secretGroup = 3
37
38# Float representing the minimum shannon entropy a regex group must have to be considered a secret.
39entropy = 3.5
40
41# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
42# in conjunction with a valid `regex` entry.
43path = '''a-file-path-regex'''
44
45# Keywords are used for pre-regex check filtering. Rules that contain
46# keywords will perform a quick string compare check to make sure the
47# keyword(s) are in the content being scanned. Ideally these values should
48# either be part of the identiifer or unique strings specific to the rule's regex
49# (introduced in v8.6.0)
50keywords = [
51 "auth",
52 "password",
53 "token",
54]
55
56# Array of strings used for metadata and reporting purposes.
57tags = ["tag","another tag"]
58
59 # ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.
60 # This change was backwards-compatible: instances of `[rules.allowlist]` still work.
61 #
62 # You can define multiple allowlists for a rule to reduce false positives.
63 # A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.
64 [[rules.allowlists]]
65 description = "ignore commit A"
66 # When multiple criteria are defined the default condition is "OR".
67 # e.g., this can match on |commits| OR |paths| OR |stopwords|.
68 condition = "OR"
69 commits = [ "commit-A", "commit-B"]
70 paths = [
71 '''go\.mod''',
72 '''go\.sum'''
73 ]
74 # note: stopwords targets the extracted secret, not the entire regex match
75 # like 'regexes' does. (stopwords introduced in 8.8.0)
76 stopwords = [
77 '''client''',
78 '''endpoint''',
79 ]
80
81 [[rules.allowlists]]
82 # The "AND" condition can be used to make sure all criteria match.
83 # e.g., this matches if |regexes| AND |paths| are satisfied.
84 condition = "AND"
85 # note: |regexes| defaults to check the _Secret_ in the finding.
86 # Acceptable values for |regexTarget| are "secret" (default), "match", and "line".
87 regexTarget = "match"
88 regexes = [ '''(?i)parseur[il]''' ]
89 paths = [ '''package-lock\.json''' ]
90
91# You can extend a particular rule from the default config. e.g., gitlab-pat
92# if you have defined a custom token prefix on your GitLab instance
93[[rules]]
94id = "gitlab-pat"
95# all the other attributes from the default rule are inherited
96
97 [[rules.allowlists]]
98 regexTarget = "line"
99 regexes = [ '''MY-glpat-''' ]
100
101# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.
102# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
103# secrets will be detected for said commit. The same logic applies for regexes and paths.
104[allowlist]
105description = "global allow list"
106commits = [ "commit-A", "commit-B", "commit-C"]
107paths = [
108 '''gitleaks\.toml''',
109 '''(.*?)(jpg|gif|doc)'''
110]
111
112# note: (global) regexTarget defaults to check the _Secret_ in the finding.
113# if regexTarget is not specified then _Secret_ will be used.
114# Acceptable values for regexTarget are "match" and "line"
115regexTarget = "match"
116regexes = [
117 '''219-09-9999''',
118 '''078-05-1120''',
119 '''(9[0-9]{2}|666)-\d{2}-\d{4}''',
120]
121# note: stopwords targets the extracted secret, not the entire regex match
122# like 'regexes' does. (stopwords introduced in 8.8.0)
123stopwords = [
124 '''client''',
125 '''endpoint''',
126]