Revision of Gitleaks-readme-10.toml

1

+

# Title for the gitleaks configuration file.

2

+

title = "Gitleaks title"

3

+

4

+

# Extend the base (this) configuration. When you extend a configuration

5

+

# the base rules take precedence over the extended rules. I.e., if there are

6

+

# duplicate rules in both the base configuration and the extended configuration

7

+

# the base rules will override the extended rules.

8

+

# Another thing to know with extending configurations is you can chain together

9

+

# multiple configuration files to a depth of 2. Allowlist arrays are appended

10

+

# and can contain duplicates.

11

+

# useDefault and path can NOT be used at the same time. Choose one.

12

+

[extend]

13

+

# useDefault will extend the base configuration with the default gitleaks config:

14

+

# https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml

15

+

useDefault = true

16

+

# or you can supply a path to a configuration. Path is relative to where gitleaks

17

+

# was invoked, not the location of the base config.

18

+

path = "common_config.toml"

19

+

20

+

# An array of tables that contain information that define instructions

21

+

# on how to detect secrets

22

+

[[rules]]

23

+

24

+

# Unique identifier for this rule

25

+

id = "awesome-rule-1"

26

+

27

+

# Short human readable description of the rule.

28

+

description = "awesome rule 1"

29

+

30

+

# Golang regular expression used to detect secrets. Note Golang's regex engine

31

+

# does not support lookaheads.

32

+

regex = '''one-go-style-regex-for-this-rule'''

33

+

34

+

# Int used to extract secret from regex match and used as the group that will have

35

+

# its entropy checked if `entropy` is set.

36

+

secretGroup = 3

37

+

38

+

# Float representing the minimum shannon entropy a regex group must have to be considered a secret.

39

+

entropy = 3.5

40

+

41

+

# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used

42

+

# in conjunction with a valid `regex` entry.

43

+

path = '''a-file-path-regex'''

44

+

45

+

# Keywords are used for pre-regex check filtering. Rules that contain

46

+

# keywords will perform a quick string compare check to make sure the

47

+

# keyword(s) are in the content being scanned. Ideally these values should

48

+

# either be part of the identiifer or unique strings specific to the rule's regex

49

+

# (introduced in v8.6.0)

50

+

keywords = [

51

+

"auth",

52

+

"password",

53

+

"token",

54

+

]

55

+

56

+

# Array of strings used for metadata and reporting purposes.

57

+

tags = ["tag","another tag"]

58

+

59

+

# ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.

60

+

# This change was backwards-compatible: instances of `[rules.allowlist]` still work.

61

+

#

62

+

# You can define multiple allowlists for a rule to reduce false positives.

63

+

# A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.

64

+

[[rules.allowlists]]

65

+

description = "ignore commit A"

66

+

# When multiple criteria are defined the default condition is "OR".

67

+

# e.g., this can match on |commits| OR |paths| OR |stopwords|.

68

+

condition = "OR"

69

+

commits = [ "commit-A", "commit-B"]

70

+

paths = [

71

+

'''go\.mod''',

72

+

'''go\.sum'''

73

+

]

74

+

# note: stopwords targets the extracted secret, not the entire regex match

75

+

# like 'regexes' does. (stopwords introduced in 8.8.0)

76

+

stopwords = [

77

+

'''client''',

78

+

'''endpoint''',

79

+

]

80

+

81

+

[[rules.allowlists]]

82

+

# The "AND" condition can be used to make sure all criteria match.

83

+

# e.g., this matches if |regexes| AND |paths| are satisfied.

84

+

condition = "AND"

85

+

# note: |regexes| defaults to check the _Secret_ in the finding.

86

+

# Acceptable values for |regexTarget| are "secret" (default), "match", and "line".

87

+

regexTarget = "match"

88

+

regexes = [ '''(?i)parseur[il]''' ]

89

+

paths = [ '''package-lock\.json''' ]

90

+

91

+

# You can extend a particular rule from the default config. e.g., gitlab-pat

92

+

# if you have defined a custom token prefix on your GitLab instance

93

+

[[rules]]

94

+

id = "gitlab-pat"

95

+

# all the other attributes from the default rule are inherited

96

+

97

+

[[rules.allowlists]]

98

+

regexTarget = "line"

99

+

regexes = [ '''MY-glpat-''' ]

100

+

101

+

# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.

102

+

# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no

103

+

# secrets will be detected for said commit. The same logic applies for regexes and paths.

104

+

[allowlist]

105

+

description = "global allow list"

106

+

commits = [ "commit-A", "commit-B", "commit-C"]

107

+

paths = [

108

+

'''gitleaks\.toml''',

109

+

'''(.*?)(jpg|gif|doc)'''

110

+

]

111

+

112

+

# note: (global) regexTarget defaults to check the _Secret_ in the finding.

113

+

# if regexTarget is not specified then _Secret_ will be used.

114

+

# Acceptable values for regexTarget are "match" and "line"

115

+

regexTarget = "match"

116

+

regexes = [

117

+

'''219-09-9999''',

118

+

'''078-05-1120''',

119

+

'''(9[0-9]{2}|666)-\d{2}-\d{4}''',

120

+

]

121

+

# note: stopwords targets the extracted secret, not the entire regex match

122

+

# like 'regexes' does. (stopwords introduced in 8.8.0)

123

+

stopwords = [

124

+

'''client''',

125

+

'''endpoint''',

126

+

]

knox / Gitleaks-readme-10.toml

knox revised this gist 1729286975. Go to revision

		@@ -0,0 +1,126 @@
1	+	# Title for the gitleaks configuration file.
2	+	title = "Gitleaks title"
3	+
4	+	# Extend the base (this) configuration. When you extend a configuration
5	+	# the base rules take precedence over the extended rules. I.e., if there are
6	+	# duplicate rules in both the base configuration and the extended configuration
7	+	# the base rules will override the extended rules.
8	+	# Another thing to know with extending configurations is you can chain together
9	+	# multiple configuration files to a depth of 2. Allowlist arrays are appended
10	+	# and can contain duplicates.
11	+	# useDefault and path can NOT be used at the same time. Choose one.
12	+	[extend]
13	+	# useDefault will extend the base configuration with the default gitleaks config:
14	+	# https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
15	+	useDefault = true
16	+	# or you can supply a path to a configuration. Path is relative to where gitleaks
17	+	# was invoked, not the location of the base config.
18	+	path = "common_config.toml"
19	+
20	+	# An array of tables that contain information that define instructions
21	+	# on how to detect secrets
22	+	[[rules]]
23	+
24	+	# Unique identifier for this rule
25	+	id = "awesome-rule-1"
26	+
27	+	# Short human readable description of the rule.
28	+	description = "awesome rule 1"
29	+
30	+	# Golang regular expression used to detect secrets. Note Golang's regex engine
31	+	# does not support lookaheads.
32	+	regex = '''one-go-style-regex-for-this-rule'''
33	+
34	+	# Int used to extract secret from regex match and used as the group that will have
35	+	# its entropy checked if `entropy` is set.
36	+	secretGroup = 3
37	+
38	+	# Float representing the minimum shannon entropy a regex group must have to be considered a secret.
39	+	entropy = 3.5
40	+
41	+	# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
42	+	# in conjunction with a valid `regex` entry.
43	+	path = '''a-file-path-regex'''
44	+
45	+	# Keywords are used for pre-regex check filtering. Rules that contain
46	+	# keywords will perform a quick string compare check to make sure the
47	+	# keyword(s) are in the content being scanned. Ideally these values should
48	+	# either be part of the identiifer or unique strings specific to the rule's regex
49	+	# (introduced in v8.6.0)
50	+	keywords = [
51	+	"auth",
52	+	"password",
53	+	"token",
54	+	]
55	+
56	+	# Array of strings used for metadata and reporting purposes.
57	+	tags = ["tag","another tag"]
58	+
59	+	# ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.
60	+	# This change was backwards-compatible: instances of `[rules.allowlist]` still work.
61	+	#
62	+	# You can define multiple allowlists for a rule to reduce false positives.
63	+	# A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.
64	+	[[rules.allowlists]]
65	+	description = "ignore commit A"
66	+	# When multiple criteria are defined the default condition is "OR".
67	+	# e.g., this can match on \|commits\| OR \|paths\| OR \|stopwords\|.
68	+	condition = "OR"
69	+	commits = [ "commit-A", "commit-B"]
70	+	paths = [
71	+	'''go\.mod''',
72	+	'''go\.sum'''
73	+	]
74	+	# note: stopwords targets the extracted secret, not the entire regex match
75	+	# like 'regexes' does. (stopwords introduced in 8.8.0)
76	+	stopwords = [
77	+	'''client''',
78	+	'''endpoint''',
79	+	]
80	+
81	+	[[rules.allowlists]]
82	+	# The "AND" condition can be used to make sure all criteria match.
83	+	# e.g., this matches if \|regexes\| AND \|paths\| are satisfied.
84	+	condition = "AND"
85	+	# note: \|regexes\| defaults to check the _Secret_ in the finding.
86	+	# Acceptable values for \|regexTarget\| are "secret" (default), "match", and "line".
87	+	regexTarget = "match"
88	+	regexes = [ '''(?i)parseur[il]''' ]
89	+	paths = [ '''package-lock\.json''' ]
90	+
91	+	# You can extend a particular rule from the default config. e.g., gitlab-pat
92	+	# if you have defined a custom token prefix on your GitLab instance
93	+	[[rules]]
94	+	id = "gitlab-pat"
95	+	# all the other attributes from the default rule are inherited
96	+
97	+	[[rules.allowlists]]
98	+	regexTarget = "line"
99	+	regexes = [ '''MY-glpat-''' ]
100	+
101	+	# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.
102	+	# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
103	+	# secrets will be detected for said commit. The same logic applies for regexes and paths.
104	+	[allowlist]
105	+	description = "global allow list"
106	+	commits = [ "commit-A", "commit-B", "commit-C"]
107	+	paths = [
108	+	'''gitleaks\.toml''',
109	+	'''(.*?)(jpg\|gif\|doc)'''
110	+	]
111	+
112	+	# note: (global) regexTarget defaults to check the _Secret_ in the finding.
113	+	# if regexTarget is not specified then _Secret_ will be used.
114	+	# Acceptable values for regexTarget are "match" and "line"
115	+	regexTarget = "match"
116	+	regexes = [
117	+	'''219-09-9999''',
118	+	'''078-05-1120''',
119	+	'''(9[0-9]{2}\|666)-\d{2}-\d{4}''',
120	+	]
121	+	# note: stopwords targets the extracted secret, not the entire regex match
122	+	# like 'regexes' does. (stopwords introduced in 8.8.0)
123	+	stopwords = [
124	+	'''client''',
125	+	'''endpoint''',
126	+	]