.talismanrc

scopeconfig:
  - scope: node # ignore e.g. package-lock.json

fileignoreconfig:
# We try to not ignore files as any edit to these files would require updating the .talismanrc

allowed_patterns:
  # allow patterns with hex encoded text
  - "cgr.dev/chainguard/nginx@sha256:9cbce3d5ee2bf696232931119919c2db19e7272cddb0fae0dc0602e78281b688"
  - "uses: aquasecurity/trivy-action@cf990b19d84bbbe1eb8833659989a7c1029132e3"
  - "uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf"
  - "uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e"
  - "uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb"
  - "uses: sonarsource/sonarqube-quality-gate-action@424137db1fae80e9eb279829995166f2f44bc8df"
  - "uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0"
  - "uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0"
  - "uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59"
  - "uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e"
  - "uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412"
  - "uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a"
  - "dsn: 'https://7c56d29d5dd2c9bd48fc72a8edaffe57@o1248831.ingest.us.sentry.io/4508482613084160'"
  - "https://digitalservicebund.slack.com/archives/C046VD44ZEH/p1706516240974409"
  - "https://digitalservicebund.slack.com/archives/C046VD44ZEH/p1706525248390559"
  # allow these specific patterns with the term "secret"
  - secrets-scan-with-talisman
  - "secrets: inherit"
  - "SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}"
  - "# scan for secrets that were published by mistake"
  - "password: \\$\\{\\{ secrets.GITHUB_TOKEN \\}\\}"
  - "argocd_pipeline_password: \\$\\{\\{ secrets.ARGOCD_PIPELINE_PASSWORD \\}\\}"
  - "introduced new secrets, but"
  # allow these specific patterns with the term "key"
  - "key: modules-"
  - "key:.+runner.os"
  - "key[s]?: docker-frontend-images-cache"
  - "key: npm-cache"
  - "sonar.projectKey=digitalservicebund_ris-adm-vwv"
  - "deploy_key: \\$\\{\\{ secrets.DEPLOY_KEY \\}\\}"
  - "Escape key"
  - "keyDown"
  - "keydown"
  - "keyup"
  - "key: 'Escape'"
  - "handleKeyDown"
  - "KeyboardEvent"
  - "event.key"
  - ':key="index"'
  - ':key=".*\.label"'
  - "key: .Arrow"
  - "key in"
  - "Keyboard"
  - "keyboard"
  - "keyArrow"
  - "key === 'Escape'"
  - "key: 'value'"
  - "key: 'other-value'"
  # patterns that trigger talisman otherwise
  - "{ label: 'passive item', route: { name: 'not-matching' }"