calciforge/.gitleaks.toml at main · bglusman/calciforge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# .gitleaks.toml — Secret + infrastructure-disclosure scanner config (public).
#
# Enforced in CI via .github/workflows/secret-scan.yml. The workflow fetches
# full history (fetch-depth: 0) and the gitleaks action scans the repository +
# git history, so findings anywhere in history will fail the job — not just
# newly introduced diff. If that becomes noisy after history rewrites or
# baseline work, switch the workflow to a diff-only scan.
#
# TWO-LAYER DESIGN — why this file is deliberately generic:
#   - This file ships in the public repo, so anything named here is itself
#     disclosed. A rule that names a specific domain teaches attackers which
#     domain to search for. So this file carries only patterns generic to a
#     class of users, not specific to any deployment.
#   - Personal / per-deployment patterns (specific domains, service
#     identifiers tied to a real user) live in `.gitleaks.local.toml` — a
#     gitignored file. See `.gitleaks.local.toml.example` for the template +
#     how to extend. CI runs only this file; developers opt into the stricter
#     local config for their own commits:
#         gitleaks detect --config .gitleaks.local.toml
#
# Rules here catch the SHAPE of disclosure (private-IP ranges, generic
# credential-in-header patterns), not any specific user's identifiers.

title = "calciforge secret + infra-leak rules (public, generic)"

# Start from gitleaks' curated default rules (40+ cloud/tool token patterns).
[extend]
useDefault = true

# ── Private-network IP ranges — generic, not user-specific ───────────────────
# Apply to everyone with any home/office LAN. Catching these prevents the
# "oops I committed my workstation's LAN IP" footgun.

[[rules]]
id = "rfc1918-192-168"
description = "RFC 1918 private range 192.168.0.0/16 — home LAN topology"
regex = '''\b192\.168\.(?:25[0-5]|2[0-4]\d|1\d\d|\d\d?)\.(?:25[0-5]|2[0-4]\d|1\d\d|\d\d?)\b'''
tags = ["infra-leak"]

[[rules]]
id = "rfc1918-10-net"
description = "RFC 1918 private range 10.0.0.0/8 — private network topology"
regex = '''\b10\.(?:25[0-5]|2[0-4]\d|1\d\d|\d\d?)\.(?:25[0-5]|2[0-4]\d|1\d\d|\d\d?)\.(?:25[0-5]|2[0-4]\d|1\d\d|\d\d?)\b'''
tags = ["infra-leak"]

[[rules]]
id = "rfc6598-cgnat"
description = "RFC 6598 CGNAT range 100.64.0.0/10 — also used by Tailscale"
regex = '''\b100\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.(?:25[0-5]|2[0-4]\d|1\d\d|\d\d?)\.(?:25[0-5]|2[0-4]\d|1\d\d|\d\d?)\b'''
tags = ["infra-leak"]

# ── Generic credential-in-header / URL patterns ──────────────────────────────

[[rules]]
id = "bearer-token-in-header"
description = "Hardcoded Bearer token in an Authorization header string literal"
# Matches: Authorization: Bearer <16+ non-space chars>
regex = '''[Aa]uthorization["']?\s*:\s*["']?Bearer\s+[A-Za-z0-9_\-\.]{16,}'''
tags = ["secret"]

[[rules]]
id = "basic-auth-in-url"
description = "user:password@ credentials embedded in a URL"
regex = '''https?://[^/\s:@]+:[^/\s@]{4,}@[^/\s]+'''
tags = ["secret"]

# ── Allowlist — known-safe paths and values ──────────────────────────────────

[allowlist]
description = "Paths and literals that are always safe — never scan or flag"
paths = [
    '''\.gitleaks\.toml$''',
    '''\.gitleaks\.local\.toml$''',
    '''\.gitleaks\.local\.toml\.example$''',
    '''\.github/workflows/secret-scan\.yml$''',
    '''CLAUDE\.md$''',
    '''(?i).*\.example\..*''',
    '''tests/.*/fixtures/.*''',
    '''CHANGELOG.*''',
    # RFC/design docs quote secret-shaped strings (e.g. example keys in
    # illustrative snippets, audit notes describing a pattern). These
    # files are human-authored prose, not code or configs, so the entropy
    # heuristics produce false positives when they talk *about* secrets.
    '''docs/rfcs/.*\.md$''',
    # Lockfiles: crate checksums, not secrets.
    '''Cargo\.lock$''',
    '''package-lock\.json$''',
    '''yarn\.lock$''',
    '''bun\.lock$''',
    # paste-server lib.rs: contains pure-function predicate
    # tests for is_localhost_origin that, by construction, must use
    # literal RFC 1918 / CGNAT IPs to test that the predicate accepts
    # private and rejects CGNAT. Substituting RFC 5737 docs IPs would
    # defeat the test.
    '''crates/paste-server/src/lib\.rs$''',
]
regexes = [
    # Loopback / unspecified — always safe
    '''127\.0\.0\.1''',
    '''0\.0\.0\.0''',
    '''::1''',
    '''localhost''',
    # RFC 5737 — reserved for documentation
    '''192\.0\.2\.\d{1,3}''',
    '''198\.51\.100\.\d{1,3}''',
    '''203\.0\.113\.\d{1,3}''',
    # RFC 2606 — reserved example domains
    '''example\.com''',
    '''example\.net''',
    '''example\.org''',
    '''example\.test''',
    # Common router-default gateway used as a placeholder in docs
    '''192\.168\.1\.1''',
    # Adversarial test fixtures that intentionally contain shapes the
    # scanner should catch — e.g. private IPs, user:pass@host URLs —
    # to prove detection. Specific values only; generic ranges still
    # fail so this list stays tight.
    '''192\.168\.1\.42''',
    '''192\.168\.1\.100''',
    '''user:pass@evil\.com''',
    # Example private IPs used in test fixtures and docs — generic
    # placeholders, not real deployment addresses. Specific values only;
    # keeps the rest of the 10/8 + 192.168/16 ranges tight.
    '''10\.0\.0\.1''',
    '''10\.0\.0\.10''',
    '''10\.0\.0\.20''',
    '''10\.0\.0\.40''',
    '''192\.168\.1\.49''',
    # Deterministic placeholder-injection fixtures. These are opaque test
    # handles, not real registered runtime placeholders.
    '''cfg_[A-Za-z0-9_-]+_(?:0123456789abcdef0123456789abcdef|ffffffffffffffffffffffffffffffff|11111111111111111111111111111111)''',
]