gitleaks.toml

title = "gitleaks config"

[[rules]]
	description = "AWS Manager ID"
	regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
	tags = ["key", "AWS"]

[[rules]]
	description = "AWS cred file info"
	regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}'''
	tags = ["AWS"]

[[rules]]
	description = "AWS Secret Key"
	regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
	tags = ["key", "AWS"]

[[rules]]
	description = "AWS MWS key"
	regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
	tags = ["key", "AWS", "MWS"]

[[rules]]
	description = "Facebook Secret Key"
	regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
	tags = ["key", "Facebook"]

[[rules]]
	description = "Facebook Client ID"
	regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
	tags = ["key", "Facebook"]

[[rules]]
	description = "Twitter Secret Key"
	regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
	tags = ["key", "Twitter"]

[[rules]]
	description = "Twitter Client ID"
	regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
	tags = ["client", "Twitter"]

[[rules]]
	description = "Github"
	regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
	tags = ["key", "Github"]

[[rules]]
	description = "LinkedIn Client ID"
	regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
	tags = ["client", "LinkedIn"]

[[rules]]
	description = "LinkedIn Secret Key"
	regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
	tags = ["secret", "LinkedIn"]

[[rules]]
	description = "Slack"
	regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
	tags = ["key", "Slack"]

[[rules]]
	description = "EC"
	regex = '''-----BEGIN EC PRIVATE KEY-----'''
	tags = ["key", "EC"]


[[rules]]
	description = "Google API key"
	regex = '''AIza[0-9A-Za-z\\-_]{35}'''
	tags = ["key", "Google"]


[[rules]]
	description = "Heroku API key"
	regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
	tags = ["key", "Heroku"]

[[rules]]
	description = "MailChimp API key"
	regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
	tags = ["key", "Mailchimp"]

[[rules]]
	description = "Mailgun API key"
	regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
	tags = ["key", "Mailgun"]

[[rules]]
	description = "PayPal Braintree access token"
	regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
	tags = ["key", "Paypal"]

[[rules]]
	description = "Picatic API key"
	regex = '''sk_live_[0-9a-z]{32}'''
	tags = ["key", "Picatic"]

[[rules]]
	description = "Slack Webhook"
	regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
	tags = ["key", "slack"]

[[rules]]
	description = "Stripe API key"
	regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
	tags = ["key", "Stripe"]

[[rules]]
	description = "Square access token"
	regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
	tags = ["key", "square"]

[[rules]]
	description = "Square OAuth secret"
	regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
	tags = ["key", "square"]

[[rules]]
	description = "Twilio API key"
	regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
	tags = ["key", "twilio"]

[[rules]]
	description = "Env Var"
	regex = '''(?i)(api_key|apikey|secret|password|pw)=[0-9a-zA-Z-_{}]{4,120}'''
	[[rules.whitelist]]
	    regex = '''(PASSWORD=HHduWG6LogIvDIQuWgp3Zlo9OYMValTtH5OBcuHw)'''
	    description = "Ignore public test okta credential, this is meant to be public"

[[rules]]
	description = "Generic Credential"
	regex = '''(?i)(dbpasswd|dbuser|dbhost|api_key|apikey|secret|password|guid|pw)(.{0,20})?['|"][0-9a-zA-Z-_!{}/=]{4,120}['|"]'''
	tags = ["key", "API", "generic"]
	[[rules.whitelist]]
	    regex = '''(HHduWG6LogIvDIQuWgp3Zlo9OYMValTtH5OBcuHw)'''
	    description = "Ignore public test okta credential, this is meant to be public"
	[[rules.whitelist]]
	    regex = '''(input type=.*)'''
	    description = "Ignore input type in HTML as it flags on keywords for this rule"
	    
[[rules]]
	description = "WP-Config"
	regex='''define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?['|"].{10,120}['|"]'''
	tags = ["key", "API", "generic"]


[[rules]]
	description = "Pure Entropy"
	regex = '''['|"][0-9a-zA-Z-._{}$\/=]{40,120}['|"]'''
	entropies = [
        "5.0-5.6"
	]
	[[rules.whitelist]]
            regex = '''("bfd_keystore_location=\$BFD_KEYSTORE_LOCATION")'''
            description = "Ignore BFD keystore location entropy trigger"
	[[rules.whitelist]]
	    regex = '''(ABCDEFGHIJKLMNOPQRSTUVWXYabcdefghijklmnopqrstuvwxyz)'''
	    description = "Ignore alphabet entropy trigger for health checks"
	[[rules.whitelist]]
	    regex = '''(integrity="sha(256|384|512)-.*")'''
	    description = "Ignore valid sha integrity hash"
	[[rules.whitelist]]
	    regex = '''(ab2d_keystore_location=.*)'''
	    description = "Ignore AB2D keystore location variable"
	[[rules.whitelist]]
	    regex = '''(.*01-public-schema.sql)'''
	    description = "Ignore arg reference containing high entropy string to this sql file"

[[rules]]
	description = "Entropy plus Generic Credential"
	regex = '''(?i)(api_key|apikey|secret|key|api|password|pw)'''
	entropies = [
        "5.2-5.5"
	]

[Global]
    file = '''(?i)(id_rsa|passwd|pgpass|pem|shadow)'''

[whitelist]
	description = "Custom whitelist to exclude images and gitleaks config and any other AB2D files"
	file = '''(.*?)(jpg|gif|doc|pdf|bin)|(api\/src\/test\/resources\/application\.properties)|(gitleaks.toml)|(create-database-secret.py)|(get-database-secret.py)|(TestUtil.java)|(application.bfd.properties)|(SwaggerConfig.java)|(TestRunner.java)|(prod-config.yml)|(imp-config.yml)|(sbx-config.yml)|(dev-config.yml)|(local-config.yml)|(.travis.yml)|(jquery.*)|(bootstrap.*)$'''