# Gitleaks Custom Configuration # Extends default rules with patterns for self-hosted services title = "Djedi Custom Gitleaks Config" # Use the default gitleaks rules as a base # This file ADDS to them, doesn't replace [extend] useDefault = true # Custom rules for self-hosted services [[rules]] id = "n8n-api-key" description = "n8n API Key" regex = '''n8n[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?''' keywords = ["n8n"] secretGroup = 1 [[rules]] id = "baserow-token" description = "Baserow Database Token" regex = '''baserow[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?''' keywords = ["baserow"] secretGroup = 2 [[rules]] id = "ntfy-token" description = "ntfy Access Token" regex = '''ntfy[_-]?(access[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9_-]{16,})["']?''' keywords = ["ntfy"] secretGroup = 2 [[rules]] id = "radicale-password" description = "Radicale/CalDAV Password" regex = '''radicale[_-]?pass(word)?["'\s:=]+["']?([^\s"']{8,})["']?''' keywords = ["radicale", "caldav"] secretGroup = 2 [[rules]] id = "headscale-api-key" description = "Headscale API Key" regex = '''headscale[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?''' keywords = ["headscale"] secretGroup = 1 [[rules]] id = "tailscale-auth-key" description = "Tailscale Auth Key" regex = '''tskey-auth-[a-zA-Z0-9]+-[a-zA-Z0-9]+''' keywords = ["tskey", "tailscale"] [[rules]] id = "invoice-ninja-token" description = "Invoice Ninja API Token" regex = '''(invoice[_-]?ninja|IN)[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?''' keywords = ["invoice", "ninja"] secretGroup = 3 [[rules]] id = "postgres-connection" description = "PostgreSQL Connection String with Password" regex = '''postgres(ql)?://[^:]+:([^@]+)@[^/]+''' keywords = ["postgres", "postgresql"] secretGroup = 2 [[rules]] id = "redis-password" description = "Redis Password in URL" regex = '''redis://:[^@]+@''' keywords = ["redis"] [[rules]] id = "gpg-passphrase" description = "GPG Passphrase" regex = '''gpg[_-]?pass(phrase)?["'\s:=]+["']?([^\s"']{8,})["']?''' keywords = ["gpg", "passphrase"] secretGroup = 2 [[rules]] id = "wireguard-private-key" description = "WireGuard Private Key" regex = '''[a-zA-Z0-9+/]{43}=''' keywords = ["wireguard", "private", "wg"] entropy = 4.5 [[rules]] id = "encryption-key-hex" description = "Encryption Key (64 hex chars)" regex = '''(encryption[_-]?key|secret[_-]?key|aes[_-]?key)["'\s:=]+["']?([a-fA-F0-9]{64})["']?''' keywords = ["encryption", "secret", "aes"] secretGroup = 2 [[rules]] id = "rustdesk-key" description = "RustDesk Encryption Key or ID" regex = '''(enc_id|key_pair|key)["'\s:=]+["']?([a-zA-Z0-9+/=]{20,})["']?''' keywords = ["rustdesk", "enc_id", "key_pair"] secretGroup = 2 # Allowlist - false positives to ignore [allowlist] description = "Global allowlist" paths = [ '''\.gitleaks\.toml$''', '''\.gitleaksignore$''', '''go\.sum$''', '''package-lock\.json$''', '''yarn\.lock$''', '''bun\.lockb$''', ] regexTarget = "match"