Gitleaks-readme-10.toml
· 4.7 KiB · TOML
原始檔案
# Title for the gitleaks configuration file.
title = "Gitleaks title"
# Extend the base (this) configuration. When you extend a configuration
# the base rules take precedence over the extended rules. I.e., if there are
# duplicate rules in both the base configuration and the extended configuration
# the base rules will override the extended rules.
# Another thing to know with extending configurations is you can chain together
# multiple configuration files to a depth of 2. Allowlist arrays are appended
# and can contain duplicates.
# useDefault and path can NOT be used at the same time. Choose one.
[extend]
# useDefault will extend the base configuration with the default gitleaks config:
# https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
useDefault = true
# or you can supply a path to a configuration. Path is relative to where gitleaks
# was invoked, not the location of the base config.
path = "common_config.toml"
# An array of tables that contain information that define instructions
# on how to detect secrets
[[rules]]
# Unique identifier for this rule
id = "awesome-rule-1"
# Short human readable description of the rule.
description = "awesome rule 1"
# Golang regular expression used to detect secrets. Note Golang's regex engine
# does not support lookaheads.
regex = '''one-go-style-regex-for-this-rule'''
# Int used to extract secret from regex match and used as the group that will have
# its entropy checked if `entropy` is set.
secretGroup = 3
# Float representing the minimum shannon entropy a regex group must have to be considered a secret.
entropy = 3.5
# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
# in conjunction with a valid `regex` entry.
path = '''a-file-path-regex'''
# Keywords are used for pre-regex check filtering. Rules that contain
# keywords will perform a quick string compare check to make sure the
# keyword(s) are in the content being scanned. Ideally these values should
# either be part of the identiifer or unique strings specific to the rule's regex
# (introduced in v8.6.0)
keywords = [
"auth",
"password",
"token",
]
# Array of strings used for metadata and reporting purposes.
tags = ["tag","another tag"]
# ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.
# This change was backwards-compatible: instances of `[rules.allowlist]` still work.
#
# You can define multiple allowlists for a rule to reduce false positives.
# A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.
[[rules.allowlists]]
description = "ignore commit A"
# When multiple criteria are defined the default condition is "OR".
# e.g., this can match on |commits| OR |paths| OR |stopwords|.
condition = "OR"
commits = [ "commit-A", "commit-B"]
paths = [
'''go\.mod''',
'''go\.sum'''
]
# note: stopwords targets the extracted secret, not the entire regex match
# like 'regexes' does. (stopwords introduced in 8.8.0)
stopwords = [
'''client''',
'''endpoint''',
]
[[rules.allowlists]]
# The "AND" condition can be used to make sure all criteria match.
# e.g., this matches if |regexes| AND |paths| are satisfied.
condition = "AND"
# note: |regexes| defaults to check the _Secret_ in the finding.
# Acceptable values for |regexTarget| are "secret" (default), "match", and "line".
regexTarget = "match"
regexes = [ '''(?i)parseur[il]''' ]
paths = [ '''package-lock\.json''' ]
# You can extend a particular rule from the default config. e.g., gitlab-pat
# if you have defined a custom token prefix on your GitLab instance
[[rules]]
id = "gitlab-pat"
# all the other attributes from the default rule are inherited
[[rules.allowlists]]
regexTarget = "line"
regexes = [ '''MY-glpat-''' ]
# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.
# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
# secrets will be detected for said commit. The same logic applies for regexes and paths.
[allowlist]
description = "global allow list"
commits = [ "commit-A", "commit-B", "commit-C"]
paths = [
'''gitleaks\.toml''',
'''(.*?)(jpg|gif|doc)'''
]
# note: (global) regexTarget defaults to check the _Secret_ in the finding.
# if regexTarget is not specified then _Secret_ will be used.
# Acceptable values for regexTarget are "match" and "line"
regexTarget = "match"
regexes = [
'''219-09-9999''',
'''078-05-1120''',
'''(9[0-9]{2}|666)-\d{2}-\d{4}''',
]
# note: stopwords targets the extracted secret, not the entire regex match
# like 'regexes' does. (stopwords introduced in 8.8.0)
stopwords = [
'''client''',
'''endpoint''',
]
1 | # Title for the gitleaks configuration file. |
2 | title = "Gitleaks title" |
3 | |
4 | # Extend the base (this) configuration. When you extend a configuration |
5 | # the base rules take precedence over the extended rules. I.e., if there are |
6 | # duplicate rules in both the base configuration and the extended configuration |
7 | # the base rules will override the extended rules. |
8 | # Another thing to know with extending configurations is you can chain together |
9 | # multiple configuration files to a depth of 2. Allowlist arrays are appended |
10 | # and can contain duplicates. |
11 | # useDefault and path can NOT be used at the same time. Choose one. |
12 | [extend] |
13 | # useDefault will extend the base configuration with the default gitleaks config: |
14 | # https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml |
15 | useDefault = true |
16 | # or you can supply a path to a configuration. Path is relative to where gitleaks |
17 | # was invoked, not the location of the base config. |
18 | path = "common_config.toml" |
19 | |
20 | # An array of tables that contain information that define instructions |
21 | # on how to detect secrets |
22 | [[rules]] |
23 | |
24 | # Unique identifier for this rule |
25 | id = "awesome-rule-1" |
26 | |
27 | # Short human readable description of the rule. |
28 | description = "awesome rule 1" |
29 | |
30 | # Golang regular expression used to detect secrets. Note Golang's regex engine |
31 | # does not support lookaheads. |
32 | regex = '''one-go-style-regex-for-this-rule''' |
33 | |
34 | # Int used to extract secret from regex match and used as the group that will have |
35 | # its entropy checked if `entropy` is set. |
36 | secretGroup = 3 |
37 | |
38 | # Float representing the minimum shannon entropy a regex group must have to be considered a secret. |
39 | entropy = 3.5 |
40 | |
41 | # Golang regular expression used to match paths. This can be used as a standalone rule or it can be used |
42 | # in conjunction with a valid `regex` entry. |
43 | path = '''a-file-path-regex''' |
44 | |
45 | # Keywords are used for pre-regex check filtering. Rules that contain |
46 | # keywords will perform a quick string compare check to make sure the |
47 | # keyword(s) are in the content being scanned. Ideally these values should |
48 | # either be part of the identiifer or unique strings specific to the rule's regex |
49 | # (introduced in v8.6.0) |
50 | keywords = [ |
51 | "auth", |
52 | "password", |
53 | "token", |
54 | ] |
55 | |
56 | # Array of strings used for metadata and reporting purposes. |
57 | tags = ["tag","another tag"] |
58 | |
59 | # ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`. |
60 | # This change was backwards-compatible: instances of `[rules.allowlist]` still work. |
61 | # |
62 | # You can define multiple allowlists for a rule to reduce false positives. |
63 | # A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches. |
64 | [[rules.allowlists]] |
65 | description = "ignore commit A" |
66 | # When multiple criteria are defined the default condition is "OR". |
67 | # e.g., this can match on |commits| OR |paths| OR |stopwords|. |
68 | condition = "OR" |
69 | commits = [ "commit-A", "commit-B"] |
70 | paths = [ |
71 | '''go\.mod''', |
72 | '''go\.sum''' |
73 | ] |
74 | # note: stopwords targets the extracted secret, not the entire regex match |
75 | # like 'regexes' does. (stopwords introduced in 8.8.0) |
76 | stopwords = [ |
77 | '''client''', |
78 | '''endpoint''', |
79 | ] |
80 | |
81 | [[rules.allowlists]] |
82 | # The "AND" condition can be used to make sure all criteria match. |
83 | # e.g., this matches if |regexes| AND |paths| are satisfied. |
84 | condition = "AND" |
85 | # note: |regexes| defaults to check the _Secret_ in the finding. |
86 | # Acceptable values for |regexTarget| are "secret" (default), "match", and "line". |
87 | regexTarget = "match" |
88 | regexes = [ '''(?i)parseur[il]''' ] |
89 | paths = [ '''package-lock\.json''' ] |
90 | |
91 | # You can extend a particular rule from the default config. e.g., gitlab-pat |
92 | # if you have defined a custom token prefix on your GitLab instance |
93 | [[rules]] |
94 | id = "gitlab-pat" |
95 | # all the other attributes from the default rule are inherited |
96 | |
97 | [[rules.allowlists]] |
98 | regexTarget = "line" |
99 | regexes = [ '''MY-glpat-''' ] |
100 | |
101 | # This is a global allowlist which has a higher order of precedence than rule-specific allowlists. |
102 | # If a commit listed in the `commits` field below is encountered then that commit will be skipped and no |
103 | # secrets will be detected for said commit. The same logic applies for regexes and paths. |
104 | [allowlist] |
105 | description = "global allow list" |
106 | commits = [ "commit-A", "commit-B", "commit-C"] |
107 | paths = [ |
108 | '''gitleaks\.toml''', |
109 | '''(.*?)(jpg|gif|doc)''' |
110 | ] |
111 | |
112 | # note: (global) regexTarget defaults to check the _Secret_ in the finding. |
113 | # if regexTarget is not specified then _Secret_ will be used. |
114 | # Acceptable values for regexTarget are "match" and "line" |
115 | regexTarget = "match" |
116 | regexes = [ |
117 | '''219-09-9999''', |
118 | '''078-05-1120''', |
119 | '''(9[0-9]{2}|666)-\d{2}-\d{4}''', |
120 | ] |
121 | # note: stopwords targets the extracted secret, not the entire regex match |
122 | # like 'regexes' does. (stopwords introduced in 8.8.0) |
123 | stopwords = [ |
124 | '''client''', |
125 | '''endpoint''', |
126 | ] |