knox ha revisionato questo gist . Vai alla revisione
1 file changed, 126 insertions
Gitleaks-readme-10.toml(file creato)
@@ -0,0 +1,126 @@ | |||
1 | + | # Title for the gitleaks configuration file. | |
2 | + | title = "Gitleaks title" | |
3 | + | ||
4 | + | # Extend the base (this) configuration. When you extend a configuration | |
5 | + | # the base rules take precedence over the extended rules. I.e., if there are | |
6 | + | # duplicate rules in both the base configuration and the extended configuration | |
7 | + | # the base rules will override the extended rules. | |
8 | + | # Another thing to know with extending configurations is you can chain together | |
9 | + | # multiple configuration files to a depth of 2. Allowlist arrays are appended | |
10 | + | # and can contain duplicates. | |
11 | + | # useDefault and path can NOT be used at the same time. Choose one. | |
12 | + | [extend] | |
13 | + | # useDefault will extend the base configuration with the default gitleaks config: | |
14 | + | # https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml | |
15 | + | useDefault = true | |
16 | + | # or you can supply a path to a configuration. Path is relative to where gitleaks | |
17 | + | # was invoked, not the location of the base config. | |
18 | + | path = "common_config.toml" | |
19 | + | ||
20 | + | # An array of tables that contain information that define instructions | |
21 | + | # on how to detect secrets | |
22 | + | [[rules]] | |
23 | + | ||
24 | + | # Unique identifier for this rule | |
25 | + | id = "awesome-rule-1" | |
26 | + | ||
27 | + | # Short human readable description of the rule. | |
28 | + | description = "awesome rule 1" | |
29 | + | ||
30 | + | # Golang regular expression used to detect secrets. Note Golang's regex engine | |
31 | + | # does not support lookaheads. | |
32 | + | regex = '''one-go-style-regex-for-this-rule''' | |
33 | + | ||
34 | + | # Int used to extract secret from regex match and used as the group that will have | |
35 | + | # its entropy checked if `entropy` is set. | |
36 | + | secretGroup = 3 | |
37 | + | ||
38 | + | # Float representing the minimum shannon entropy a regex group must have to be considered a secret. | |
39 | + | entropy = 3.5 | |
40 | + | ||
41 | + | # Golang regular expression used to match paths. This can be used as a standalone rule or it can be used | |
42 | + | # in conjunction with a valid `regex` entry. | |
43 | + | path = '''a-file-path-regex''' | |
44 | + | ||
45 | + | # Keywords are used for pre-regex check filtering. Rules that contain | |
46 | + | # keywords will perform a quick string compare check to make sure the | |
47 | + | # keyword(s) are in the content being scanned. Ideally these values should | |
48 | + | # either be part of the identiifer or unique strings specific to the rule's regex | |
49 | + | # (introduced in v8.6.0) | |
50 | + | keywords = [ | |
51 | + | "auth", | |
52 | + | "password", | |
53 | + | "token", | |
54 | + | ] | |
55 | + | ||
56 | + | # Array of strings used for metadata and reporting purposes. | |
57 | + | tags = ["tag","another tag"] | |
58 | + | ||
59 | + | # ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`. | |
60 | + | # This change was backwards-compatible: instances of `[rules.allowlist]` still work. | |
61 | + | # | |
62 | + | # You can define multiple allowlists for a rule to reduce false positives. | |
63 | + | # A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches. | |
64 | + | [[rules.allowlists]] | |
65 | + | description = "ignore commit A" | |
66 | + | # When multiple criteria are defined the default condition is "OR". | |
67 | + | # e.g., this can match on |commits| OR |paths| OR |stopwords|. | |
68 | + | condition = "OR" | |
69 | + | commits = [ "commit-A", "commit-B"] | |
70 | + | paths = [ | |
71 | + | '''go\.mod''', | |
72 | + | '''go\.sum''' | |
73 | + | ] | |
74 | + | # note: stopwords targets the extracted secret, not the entire regex match | |
75 | + | # like 'regexes' does. (stopwords introduced in 8.8.0) | |
76 | + | stopwords = [ | |
77 | + | '''client''', | |
78 | + | '''endpoint''', | |
79 | + | ] | |
80 | + | ||
81 | + | [[rules.allowlists]] | |
82 | + | # The "AND" condition can be used to make sure all criteria match. | |
83 | + | # e.g., this matches if |regexes| AND |paths| are satisfied. | |
84 | + | condition = "AND" | |
85 | + | # note: |regexes| defaults to check the _Secret_ in the finding. | |
86 | + | # Acceptable values for |regexTarget| are "secret" (default), "match", and "line". | |
87 | + | regexTarget = "match" | |
88 | + | regexes = [ '''(?i)parseur[il]''' ] | |
89 | + | paths = [ '''package-lock\.json''' ] | |
90 | + | ||
91 | + | # You can extend a particular rule from the default config. e.g., gitlab-pat | |
92 | + | # if you have defined a custom token prefix on your GitLab instance | |
93 | + | [[rules]] | |
94 | + | id = "gitlab-pat" | |
95 | + | # all the other attributes from the default rule are inherited | |
96 | + | ||
97 | + | [[rules.allowlists]] | |
98 | + | regexTarget = "line" | |
99 | + | regexes = [ '''MY-glpat-''' ] | |
100 | + | ||
101 | + | # This is a global allowlist which has a higher order of precedence than rule-specific allowlists. | |
102 | + | # If a commit listed in the `commits` field below is encountered then that commit will be skipped and no | |
103 | + | # secrets will be detected for said commit. The same logic applies for regexes and paths. | |
104 | + | [allowlist] | |
105 | + | description = "global allow list" | |
106 | + | commits = [ "commit-A", "commit-B", "commit-C"] | |
107 | + | paths = [ | |
108 | + | '''gitleaks\.toml''', | |
109 | + | '''(.*?)(jpg|gif|doc)''' | |
110 | + | ] | |
111 | + | ||
112 | + | # note: (global) regexTarget defaults to check the _Secret_ in the finding. | |
113 | + | # if regexTarget is not specified then _Secret_ will be used. | |
114 | + | # Acceptable values for regexTarget are "match" and "line" | |
115 | + | regexTarget = "match" | |
116 | + | regexes = [ | |
117 | + | '''219-09-9999''', | |
118 | + | '''078-05-1120''', | |
119 | + | '''(9[0-9]{2}|666)-\d{2}-\d{4}''', | |
120 | + | ] | |
121 | + | # note: stopwords targets the extracted secret, not the entire regex match | |
122 | + | # like 'regexes' does. (stopwords introduced in 8.8.0) | |
123 | + | stopwords = [ | |
124 | + | '''client''', | |
125 | + | '''endpoint''', | |
126 | + | ] |
Più nuovi
Più vecchi