113 lines
2.9 KiB
TOML
113 lines
2.9 KiB
TOML
# Gitleaks Custom Configuration
|
|
# Extends default rules with patterns for self-hosted services
|
|
|
|
title = "Djedi Custom Gitleaks Config"
|
|
|
|
# Use the default gitleaks rules as a base
|
|
# This file ADDS to them, doesn't replace
|
|
|
|
[extend]
|
|
useDefault = true
|
|
|
|
# Custom rules for self-hosted services
|
|
[[rules]]
|
|
id = "n8n-api-key"
|
|
description = "n8n API Key"
|
|
regex = '''n8n[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?'''
|
|
keywords = ["n8n"]
|
|
secretGroup = 1
|
|
|
|
[[rules]]
|
|
id = "baserow-token"
|
|
description = "Baserow Database Token"
|
|
regex = '''baserow[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?'''
|
|
keywords = ["baserow"]
|
|
secretGroup = 2
|
|
|
|
[[rules]]
|
|
id = "ntfy-token"
|
|
description = "ntfy Access Token"
|
|
regex = '''ntfy[_-]?(access[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9_-]{16,})["']?'''
|
|
keywords = ["ntfy"]
|
|
secretGroup = 2
|
|
|
|
[[rules]]
|
|
id = "radicale-password"
|
|
description = "Radicale/CalDAV Password"
|
|
regex = '''radicale[_-]?pass(word)?["'\s:=]+["']?([^\s"']{8,})["']?'''
|
|
keywords = ["radicale", "caldav"]
|
|
secretGroup = 2
|
|
|
|
[[rules]]
|
|
id = "headscale-api-key"
|
|
description = "Headscale API Key"
|
|
regex = '''headscale[_-]?api[_-]?key["'\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?'''
|
|
keywords = ["headscale"]
|
|
secretGroup = 1
|
|
|
|
[[rules]]
|
|
id = "tailscale-auth-key"
|
|
description = "Tailscale Auth Key"
|
|
regex = '''tskey-auth-[a-zA-Z0-9]+-[a-zA-Z0-9]+'''
|
|
keywords = ["tskey", "tailscale"]
|
|
|
|
[[rules]]
|
|
id = "invoice-ninja-token"
|
|
description = "Invoice Ninja API Token"
|
|
regex = '''(invoice[_-]?ninja|IN)[_-]?(api[_-]?)?token["'\s:=]+["']?([a-zA-Z0-9]{20,})["']?'''
|
|
keywords = ["invoice", "ninja"]
|
|
secretGroup = 3
|
|
|
|
[[rules]]
|
|
id = "postgres-connection"
|
|
description = "PostgreSQL Connection String with Password"
|
|
regex = '''postgres(ql)?://[^:]+:([^@]+)@[^/]+'''
|
|
keywords = ["postgres", "postgresql"]
|
|
secretGroup = 2
|
|
|
|
[[rules]]
|
|
id = "redis-password"
|
|
description = "Redis Password in URL"
|
|
regex = '''redis://:[^@]+@'''
|
|
keywords = ["redis"]
|
|
|
|
[[rules]]
|
|
id = "gpg-passphrase"
|
|
description = "GPG Passphrase"
|
|
regex = '''gpg[_-]?pass(phrase)?["'\s:=]+["']?([^\s"']{8,})["']?'''
|
|
keywords = ["gpg", "passphrase"]
|
|
secretGroup = 2
|
|
|
|
[[rules]]
|
|
id = "wireguard-private-key"
|
|
description = "WireGuard Private Key"
|
|
regex = '''[a-zA-Z0-9+/]{43}='''
|
|
keywords = ["wireguard", "private", "wg"]
|
|
entropy = 4.5
|
|
|
|
[[rules]]
|
|
id = "encryption-key-hex"
|
|
description = "Encryption Key (64 hex chars)"
|
|
regex = '''(encryption[_-]?key|secret[_-]?key|aes[_-]?key)["'\s:=]+["']?([a-fA-F0-9]{64})["']?'''
|
|
keywords = ["encryption", "secret", "aes"]
|
|
secretGroup = 2
|
|
|
|
[[rules]]
|
|
id = "rustdesk-key"
|
|
description = "RustDesk Encryption Key or ID"
|
|
regex = '''(enc_id|key_pair|key)["'\s:=]+["']?([a-zA-Z0-9+/=]{20,})["']?'''
|
|
keywords = ["rustdesk", "enc_id", "key_pair"]
|
|
secretGroup = 2
|
|
|
|
# Allowlist - false positives to ignore
|
|
[allowlist]
|
|
description = "Global allowlist"
|
|
paths = [
|
|
'''\.gitleaks\.toml$''',
|
|
'''\.gitleaksignore$''',
|
|
'''go\.sum$''',
|
|
'''package-lock\.json$''',
|
|
'''yarn\.lock$''',
|
|
'''bun\.lockb$''',
|
|
]
|
|
regexTarget = "match"
|