From 4572573132c8297173b432338fe2bc2f43a1ffef Mon Sep 17 00:00:00 2001 From: rpriven Date: Fri, 9 Jan 2026 23:37:38 -0700 Subject: [PATCH] Add dev tooling config --- .gitleaks.toml | 113 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..f574fba --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,113 @@ +# Gitleaks Custom Configuration +# Extends default rules with patterns for self-hosted services + +title = "Djedi Custom Gitleaks Config" + +# Use the default gitleaks rules as a base +# This file ADDS to them, doesn't replace + +[extend] +useDefault = true + +# Custom rules for self-hosted services +[[rules]] +id = "n8n-api-key" +description = "n8n API Key" +regex = '''n8n[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?''' +keywords = ["n8n"] +secretGroup = 1 + +[[rules]] +id = "baserow-token" +description = "Baserow Database Token" +regex = '''baserow[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?''' +keywords = ["baserow"] +secretGroup = 2 + +[[rules]] +id = "ntfy-token" +description = "ntfy Access Token" +regex = '''ntfy[_-]?(access[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9_-]{16,})["']?''' +keywords = ["ntfy"] +secretGroup = 2 + +[[rules]] +id = "radicale-password" +description = "Radicale/CalDAV Password" +regex = '''radicale[_-]?pass(word)?["'\s:=]+["']?([^\s"']{8,})["']?''' +keywords = ["radicale", "caldav"] +secretGroup = 2 + +[[rules]] +id = "headscale-api-key" +description = "Headscale API Key" +regex = '''headscale[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?''' +keywords = ["headscale"] +secretGroup = 1 + +[[rules]] +id = "tailscale-auth-key" +description = "Tailscale Auth Key" +regex = '''tskey-auth-[a-zA-Z0-9]+-[a-zA-Z0-9]+''' +keywords = ["tskey", "tailscale"] + +[[rules]] +id = "invoice-ninja-token" +description = "Invoice Ninja API Token" +regex = '''(invoice[_-]?ninja|IN)[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?''' +keywords = ["invoice", "ninja"] +secretGroup = 3 + +[[rules]] +id = "postgres-connection" +description = "PostgreSQL Connection String with Password" +regex = '''postgres(ql)?://[^:]+:([^@]+)@[^/]+''' +keywords = ["postgres", "postgresql"] +secretGroup = 2 + +[[rules]] +id = "redis-password" +description = "Redis Password in URL" +regex = '''redis://:[^@]+@''' +keywords = ["redis"] + +[[rules]] +id = "gpg-passphrase" +description = "GPG Passphrase" +regex = '''gpg[_-]?pass(phrase)?["'\s:=]+["']?([^\s"']{8,})["']?''' +keywords = ["gpg", "passphrase"] +secretGroup = 2 + +[[rules]] +id = "wireguard-private-key" +description = "WireGuard Private Key" +regex = '''[a-zA-Z0-9+/]{43}=''' +keywords = ["wireguard", "private", "wg"] +entropy = 4.5 + +[[rules]] +id = "encryption-key-hex" +description = "Encryption Key (64 hex chars)" +regex = '''(encryption[_-]?key|secret[_-]?key|aes[_-]?key)["'\s:=]+["']?([a-fA-F0-9]{64})["']?''' +keywords = ["encryption", "secret", "aes"] +secretGroup = 2 + +[[rules]] +id = "rustdesk-key" +description = "RustDesk Encryption Key or ID" +regex = '''(enc_id|key_pair|key)["'\s:=]+["']?([a-zA-Z0-9+/=]{20,})["']?''' +keywords = ["rustdesk", "enc_id", "key_pair"] +secretGroup = 2 + +# Allowlist - false positives to ignore +[allowlist] +description = "Global allowlist" +paths = [ + '''\.gitleaks\.toml$''', + '''\.gitleaksignore$''', + '''go\.sum$''', + '''package-lock\.json$''', + '''yarn\.lock$''', + '''bun\.lockb$''', +] +regexTarget = "match"