forked from kagenti/kagenti
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.gitleaks.toml
More file actions
73 lines (57 loc) · 2.44 KB
/
.gitleaks.toml
File metadata and controls
73 lines (57 loc) · 2.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Gitleaks configuration for Kagenti HyperShift CI
# See: https://github.com/gitleaks/gitleaks
#
# SECURITY POLICY: Scan ALL files, only allow specific patterns
# Do NOT exclude paths - docs and policies can contain accidental secrets
title = "Kagenti Gitleaks Configuration"
[allowlist]
description = "Allowlisted patterns - STRICT: only explicit placeholders allowed"
# SECURITY PRINCIPLE: Only allow patterns with EXPLICIT placeholder markers
# Do NOT add broad patterns like "arn:aws:iam::\d{12}:role/example-.*"
# which could match real ARNs that happen to contain "example"
regexes = [
# =========================================================================
# EXPLICIT PLACEHOLDER MARKERS (safe - clearly not real secrets)
# =========================================================================
# Strings containing explicit placeholder words
'''(?i).*PLACEHOLDER.*''',
'''(?i).*YOUR[-_].*[-_]HERE.*''',
'''(?i).*CHANGE[-_]?ME.*''',
'''(?i).*INSERT[-_].*[-_]HERE.*''',
'''(?i).*REPLACE[-_]?THIS.*''',
'''(?i).*FIXME.*''',
# Explicit example/test markers in the VALUE (not just nearby)
'''(?i)^example[-_].*''',
'''(?i)^test[-_].*''',
'''(?i)^dummy[-_].*''',
'''(?i)^fake[-_].*''',
'''(?i)^sample[-_].*''',
# Placeholder patterns: xxx, XXX, etc.
'''x{3,}''',
'''X{3,}''',
'''0{12,}''',
# Angle bracket placeholders
'''<[A-Za-z_-]+>''',
'''<your[-_].*>''',
# =========================================================================
# TEMPLATE VARIABLES (safe - clearly templated, not real values)
# =========================================================================
# Shell/environment variable substitution
'''\$\{[A-Za-z_][A-Za-z0-9_]*\}''',
# Jinja/Ansible/Helm template syntax
'''\{\{.*\}\}''',
'''\{%.*%\}''',
# =========================================================================
# DOCUMENTATION PATTERNS (safe - only in policy doc wildcards)
# =========================================================================
# Wildcard-only resource patterns (not real ARNs)
'''arn:aws:[a-z0-9-]+:\*:\*:.*''',
# Account ID is literally "ACCOUNT_ID" (placeholder text)
'''arn:aws:iam::ACCOUNT_ID:.*''',
# Account ID is a template variable
'''arn:aws:iam::\$\{[A-Za-z_]+\}:.*''',
]
# Extend default rules - we want strict detection
[extend]
# Use default gitleaks rules
useDefault = true