-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.gitleaks.toml
More file actions
94 lines (83 loc) · 2.31 KB
/
.gitleaks.toml
File metadata and controls
94 lines (83 loc) · 2.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Gitleaks Configuration for SpokeToWork
# https://github.com/gitleaks/gitleaks
title = "SpokeToWork Secret Detection"
# Extend the default rules
[extend]
useDefault = true
# Custom rules for project-specific patterns
[[rules]]
id = "supabase-service-role-key"
description = "Supabase Service Role Key"
regex = '''sbp_[a-zA-Z0-9]{40}'''
keywords = ["sbp_"]
severity = "high"
[[rules]]
id = "supabase-anon-key-in-code"
description = "Supabase Anon Key hardcoded (should use env var)"
regex = '''eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+'''
keywords = ["eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"]
severity = "medium"
[[rules]]
id = "stripe-live-key"
description = "Stripe Live API Key"
regex = '''sk_live_[a-zA-Z0-9]{24,}'''
keywords = ["sk_live_"]
severity = "critical"
[[rules]]
id = "stripe-live-publishable"
description = "Stripe Live Publishable Key"
regex = '''pk_live_[a-zA-Z0-9]{24,}'''
keywords = ["pk_live_"]
severity = "high"
# Allowlist for false positives
[allowlist]
description = "Allowed patterns and paths"
# Allow test fixtures, example files, and gitignored paths
paths = [
# Example/sample files
'''\.env\.example$''',
'''\.env\.sample$''',
'''docs/.*\.md$''',
# Local Supabase config (contains official Supabase demo keys, not real secrets)
'''LOCAL-SUPABASE-GUIDE\.md$''',
'''docker/kong/kong\.yml$''',
'''docker/supabase/.*''',
# Test files and fixtures
'''tests/e2e/fixtures/.*''',
'''.*\.test\.ts$''',
'''.*\.spec\.ts$''',
'''.*\.stories\.tsx?$''',
'''test-results/.*''',
'''playwright-report/.*''',
# Gitignored paths (should never be committed)
'''\.env$''',
'''\.env\.local$''',
'''\.env\..*\.local$''',
'''\.next/.*''',
'''out/.*''',
'''\.claude/settings\.local\.json$''',
'''node_modules/.*''',
'''coverage/.*''',
]
# No commit allowlisting — secrets are scrubbed from git history
commits = []
# Allow specific regex patterns that are false positives
regexes = [
# UUID patterns (not secrets)
'''[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''',
# Example/placeholder values
'''YOUR_.*_HERE''',
'''PLACEHOLDER_.*''',
'''example\.com''',
'''test@example\.com''',
]
# Stop words that indicate the string is not a secret
stopwords = [
"example",
"placeholder",
"your_",
"test_",
"fake_",
"dummy_",
"sample_",
]