Add dev tooling config

2026-01-09 23:37:38 -07:00 · 2026-01-09 23:37:38 -07:00 · 4572573132
commit 4572573132
parent d9834b6db0
1 changed files with 113 additions and 0 deletions
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@ -0,0 +1,113 @@
+# Gitleaks Custom Configuration
+# Extends default rules with patterns for self-hosted services
+
+title = "Djedi Custom Gitleaks Config"
+
+# Use the default gitleaks rules as a base
+# This file ADDS to them, doesn't replace
+
+[extend]
+useDefault = true
+
+# Custom rules for self-hosted services
+[[rules]]
+id = "n8n-api-key"
+description = "n8n API Key"
+regex = '''n8n[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?'''
+keywords = ["n8n"]
+secretGroup = 1
+
+[[rules]]
+id = "baserow-token"
+description = "Baserow Database Token"
+regex = '''baserow[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?'''
+keywords = ["baserow"]
+secretGroup = 2
+
+[[rules]]
+id = "ntfy-token"
+description = "ntfy Access Token"
+regex = '''ntfy[_-]?(access[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9_-]{16,})["']?'''
+keywords = ["ntfy"]
+secretGroup = 2
+
+[[rules]]
+id = "radicale-password"
+description = "Radicale/CalDAV Password"
+regex = '''radicale[_-]?pass(word)?["'\s:=]+["']?([^\s"']{8,})["']?'''
+keywords = ["radicale", "caldav"]
+secretGroup = 2
+
+[[rules]]
+id = "headscale-api-key"
+description = "Headscale API Key"
+regex = '''headscale[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?'''
+keywords = ["headscale"]
+secretGroup = 1
+
+[[rules]]
+id = "tailscale-auth-key"
+description = "Tailscale Auth Key"
+regex = '''tskey-auth-[a-zA-Z0-9]+-[a-zA-Z0-9]+'''
+keywords = ["tskey", "tailscale"]
+
+[[rules]]
+id = "invoice-ninja-token"
+description = "Invoice Ninja API Token"
+regex = '''(invoice[_-]?ninja|IN)[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?'''
+keywords = ["invoice", "ninja"]
+secretGroup = 3
+
+[[rules]]
+id = "postgres-connection"
+description = "PostgreSQL Connection String with Password"
+regex = '''postgres(ql)?://[^:]+:([^@]+)@[^/]+'''
+keywords = ["postgres", "postgresql"]
+secretGroup = 2
+
+[[rules]]
+id = "redis-password"
+description = "Redis Password in URL"
+regex = '''redis://:[^@]+@'''
+keywords = ["redis"]
+
+[[rules]]
+id = "gpg-passphrase"
+description = "GPG Passphrase"
+regex = '''gpg[_-]?pass(phrase)?["'\s:=]+["']?([^\s"']{8,})["']?'''
+keywords = ["gpg", "passphrase"]
+secretGroup = 2
+
+[[rules]]
+id = "wireguard-private-key"
+description = "WireGuard Private Key"
+regex = '''[a-zA-Z0-9+/]{43}='''
+keywords = ["wireguard", "private", "wg"]
+entropy = 4.5
+
+[[rules]]
+id = "encryption-key-hex"
+description = "Encryption Key (64 hex chars)"
+regex = '''(encryption[_-]?key|secret[_-]?key|aes[_-]?key)["'\s:=]+["']?([a-fA-F0-9]{64})["']?'''
+keywords = ["encryption", "secret", "aes"]
+secretGroup = 2
+
+[[rules]]
+id = "rustdesk-key"
+description = "RustDesk Encryption Key or ID"
+regex = '''(enc_id|key_pair|key)["'\s:=]+["']?([a-zA-Z0-9+/=]{20,})["']?'''
+keywords = ["rustdesk", "enc_id", "key_pair"]
+secretGroup = 2
+
+# Allowlist - false positives to ignore
+[allowlist]
+description = "Global allowlist"
+paths = [
+    '''\.gitleaks\.toml$''',
+    '''\.gitleaksignore$''',
+    '''go\.sum$''',
+    '''package-lock\.json$''',
+    '''yarn\.lock$''',
+    '''bun\.lockb$''',
+]
+regexTarget = "match"