.gitleaks.toml
title = "Secretless Broker gitleaks config"
# gitleaks v4+ does not support whitelist regexes. They are kept in place for backwards
# compatibility, but future regexes of keys to ignore should be included either in the
# file or path sections for files to ignore, or under the rule the expression/key should be
# whitelisted for.
# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
# If GITLEAKS_CONFIG environment variable
# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
# configurations from that path. Gitleaks does not whitelist anything by default.
# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
[[rules]]
description = "AWS Client ID"
regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[[rules.whitelist]]
description = "sample AWS key in AWS HTTP connector"
regex = '''AKIAIOSFODNN7EXAMPLE'''
[[rules.whitelist]]
description = "since-removed sample AWS key"
regex = '''AKIAJADDJE4Q4JVX3HAA'''
[[rules]]
description = "AWS Secret Key"
regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
tags = ["key", "AWS"]
[[rules]]
description = "AWS MWS key"
regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
tags = ["key", "AWS", "MWS"]
[[rules]]
description = "PKCS8"
regex = '''-----BEGIN PRIVATE KEY-----'''
tags = ["key", "PKCS8"]
[[rules]]
description = "RSA"
regex = '''-----BEGIN RSA PRIVATE KEY-----'''
tags = ["key", "RSA"]
[[rules]]
description = "SSH"
regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
tags = ["key", "SSH"]
[[rules]]
description = "PGP"
regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
tags = ["key", "PGP"]
[[rules]]
description = "Facebook Secret Key"
regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
tags = ["key", "Facebook"]
[[rules]]
description = "Facebook Client ID"
regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
tags = ["key", "Facebook"]
[[rules]]
description = "Facebook access token"
regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
tags = ["key", "Facebook"]
[[rules]]
description = "Twitter Secret Key"
regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
tags = ["key", "Twitter"]
[[rules]]
description = "Twitter Client ID"
regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
tags = ["client", "Twitter"]
[[rules]]
description = "Github"
regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
tags = ["key", "Github"]
[[rules]]
description = "LinkedIn Client ID"
regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
tags = ["client", "Twitter"]
[[rules]]
description = "LinkedIn Secret Key"
regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
tags = ["secret", "Twitter"]
[[rules]]
description = "Slack"
regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
tags = ["key", "Slack"]
[[rules]]
description = "EC"
regex = '''-----BEGIN EC PRIVATE KEY-----'''
tags = ["key", "EC"]
[[rules]]
description = "Generic API key"
regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
tags = ["key", "API", "generic"]
[[rules]]
description = "Generic Secret"
regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
tags = ["key", "Secret", "generic"]
[[rules]]
description = "Google API key"
regex = '''AIza[0-9A-Za-z\\-_]{35}'''
tags = ["key", "Google"]
[[rules]]
description = "Google Cloud Platform API key"
regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
tags = ["key", "Google", "GCP"]
[[rules]]
description = "Google OAuth"
regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
tags = ["key", "Google", "OAuth"]
[[rules]]
description = "Google OAuth access token"
regex = '''ya29\.[0-9A-Za-z\-_]+'''
tags = ["key", "Google", "OAuth"]
[[rules]]
description = "Heroku API key"
regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
tags = ["key", "Heroku"]
[[rules]]
description = "MailChimp API key"
regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
tags = ["key", "Mailchimp"]
[[rules]]
description = "Mailgun API key"
regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
tags = ["key", "Mailgun"]
[[rules]]
description = "Password in URL"
regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
tags = ["key", "URL", "generic"]
[[rules.whitelist]]
description = "Testing/example url for postgresql containers"
regex = '''postgres://postgres:SuperSecure@pg/postgres'''
[[rules.whitelist]]
description = "Testing/example url for sqlserver connection"
regex = '''sqlserver://username:password@host:port\?database=master.param2=value'''
[[rules]]
description = "PayPal Braintree access token"
regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
tags = ["key", "Paypal"]
[[rules]]
description = "Picatic API key"
regex = '''sk_live_[0-9a-z]{32}'''
tags = ["key", "Picatic"]
[[rules]]
description = "Slack Webhook"
regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
tags = ["key", "slack"]
[[rules]]
description = "Stripe API key"
regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
tags = ["key", "Stripe"]
[[rules]]
description = "Square access token"
regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
tags = ["key", "square"]
[[rules]]
description = "Square OAuth secret"
regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
tags = ["key", "square"]
[[rules]]
description = "Twilio API key"
regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
tags = ["key", "twilio"]
[whitelist]
# As of v4, gitleaks only matches against filename, not path in the
# files directive. Leaving content for backwards compatibility.
files = [
"(.*?)(jpg|gif|doc|pdf|bin)$",
".gitleaks.toml",
"doc/full-demo/secrets/(.*)", # since-removed set of demos with ex keys
"demos/full-demo/secrets/(.*)", # since-removed set of demos with ex keys
"demos/quick-start/docker/etc/(.*)", # demo quick start certs
"demos/k8s-demo/etc/(.*)", # k8s demo certs
"test/pg_handler/etc/(.*)", # test pg certs
"test/pg2_handler/etc/(.*)", # random pg test copy certs (since removed)
"test/ssh_handler/id_(.*)", # test ssh handler certs
"test/ssh_agent_handler/id_(.*)", # test ssh-agent handler certs
"test/connector/http/generic/certs/(.*)", # test http generic connector certs
"test/connector/ssh/id_(.*)", # test ssh handler certs
"test/connector/ssh_agent/id_(.*)", # test ssh-agent handler certs
"test/connector/tcp/mssql/certs/(.*)", # test mssql connector certs
"internal/plugin/connectors/tcp/ssl/testdata/(.*)", # test shared ssl package certs
"test/ssh/id_(.*)", # since-removed ssh test certs
"test/util/ssl/(.*)", # test ssl certs
"internal/plugin/connectors/tcp/mssql/connection_details_test.go", # fake cert string
"internal/plugin/connectors/http/aws/(.*)", # fake AWS credentials
]
# As of v4, gitleaks can whitelist paths to accommodate no longer using
# paths in the `files` whitelist.
paths = [
"doc/full-demo/secrets",
"demos/full-demo/secrets",
"demos/quick-start/docker/etc",
"demos/k8s-demo/etc",
"test/pg_handler/etc",
"test/pg2_handler/etc",
"test/ssh_handler",
"test/ssh_agent_handler",
"test/connector/http/generic/certs",
"test/connector/ssh",
"test/connector/ssh_agent",
"test/connector/tcp/mssql/certs",
"test/ssh",
"test/util/ssl",
"internal/plugin/connectors/tcp/mssql",
"internal/plugin/connectors/http/aws",
]
regexes = [
"AKIAIOSFODNN7EXAMPLE", # sample AWS key in AWS HTTP connector
"AKIAJADDJE4Q4JVX3HAA", # since-removed sample AWS key
"SuperSecure", # dummy password used in conjur integration test docker compose
]
commits = [
"21c8edd1766c146dccdbf9fc4752c0588f8b00b6", # old commit with disabled API key
"4d0c979ead264d84d6fa43d51aad0a70c7c8391f" # old commit with disabled API key
]
# Additional Examples
# [[rules]]
# description = "Generic Key"
# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
# entropies = [
# "4.1-4.3",
# "5.5-6.3",
# ]
# entropyROI = "line"
# filetypes = [".go", ".py", ".c"]
# tags = ["key"]
# severity = "8"
#
#
# [[rules]]
# description = "Generic Key"
# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
# entropies = ["4.1-4.3"]
# filetypes = [".gee"]
# entropyROI = "line"
# tags = ["key"]
# severity = "medium"
# [[rules]]
# description = "Any pem file"
# filetypes = [".key"]
# tags = ["pem"]
# severity = "high"