VacciChain/.gitleaks.toml at main · codedmalik/VacciChain · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
title = "VacciChain Gitleaks Configuration"

[extend]
# Use default gitleaks rules as base
useDefault = true

# Custom rules for VacciChain-specific secrets
[[rules]]
id = "stellar-secret-key"
description = "Stellar Secret Key"
regex = '''S[A-Z0-9]{55}'''
tags = ["stellar", "secret", "key"]

[[rules]]
id = "stellar-private-key"
description = "Stellar Private Key (alternative format)"
regex = '''(?i)(stellar[_-]?secret|stellar[_-]?private)[_-]?key["\s:=]+[A-Z0-9]{56}'''
tags = ["stellar", "secret", "key"]

[[rules]]
id = "jwt-secret"
description = "JWT Secret"
regex = '''(?i)(jwt[_-]?secret|jwt[_-]?key)["\s:=]+[A-Za-z0-9+/=]{32,}'''
tags = ["jwt", "secret"]

[[rules]]
id = "soroban-secret"
description = "Soroban Secret Key"
regex = '''(?i)(soroban[_-]?secret|soroban[_-]?key)["\s:=]+[A-Za-z0-9+/=]{32,}'''
tags = ["soroban", "secret"]

[[rules]]
id = "api-key-generic"
description = "Generic API Key"
regex = '''(?i)(api[_-]?key|apikey)["\s:=]+[A-Za-z0-9_\-]{20,}'''
tags = ["api", "key"]

# Allowlist for false positives
[allowlist]
description = "Allowlist for known false positives"
paths = [
  '''\.env\.example$''',
  '''env\.example$''',
  '''\.md$''',
  '''test_.*\.js$''',
  '''.*\.test\.js$''',
  '''.*\.spec\.js$''',
  '''__mocks__/.*''',
]

# Allowlist specific patterns that are not real secrets
regexes = [
  '''EXAMPLE_.*''',
  '''TEST_.*''',
  '''DEMO_.*''',
  '''your-.*-here''',
  '''replace-with-.*''',
  '''<.*>''',
  '''SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX''',
]

# Stop words that indicate example/placeholder values
stopwords = [
  "example",
  "sample",
  "test",
  "demo",
  "placeholder",
  "your-secret-here",
  "replace-me",
]