nzila-os/.gitleaks.toml at main · anungis437/nzila-os · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# .gitleaks.toml — Gitleaks configuration for Nzila Automation monorepo
# Extends the default ruleset with monorepo-specific tuning.
# Docs: https://github.com/gitleaks/gitleaks

title = "Nzila Automation Gitleaks Config"

[extend]
# Use the default gitleaks rules as base
useDefault = true

# ──────────────────────────────────────
# Allowlist: paths and patterns that are
# known safe (test fixtures, examples)
# ──────────────────────────────────────
[allowlist]
description = "Global allowlist for Nzila monorepo"

# Paths that contain placeholder/test values (not real secrets)
paths = [
  '''\.github/workflows/.*\.yml$''',   # CI files use placeholder env vars
  '''\.env\.example$''',               # Example env files
  '''\.env\.test$''',                  # Test env files
  '''\.env\.template$''',              # Template env files
  '''pnpm-lock\.yaml$''',             # Lock file hashes
  '''.*\.snap$''',                     # Jest/Vitest snapshots
  '''docs/.*\.md$''',                  # Documentation
  '''content/.*\.md$''',               # Content files
  '''governance/.*\.md$''',            # Governance docs
  '''ops/runbooks/.*\.md$''',          # Runbook docs with placeholder commands
  '''tmp-.*''',                        # Temporary analysis files (not committed to production)
  '''db/seeds/.*\.sql$''',             # Seed files use env-var placeholders, not real secrets
  '''auth_core/tests_clerk_webhooks\.py$''',  # Test file with synthetic webhook secret
  '''__tests__/.*\.test\.ts$''',       # Unit tests with mock env values
  '''\.test\.ts$''',                   # Test files with mock values
  '''\.spec\.ts$''',                   # Spec files with mock values
  '''tests/test_.*\.py$''',            # Python test files with mock values
  '''Dockerfile$''',                   # Build-time placeholder ARGs
  '''docker-compose.*\.yml$''',        # Dev compose files with local credentials
  '''\.devcontainer/.*\.yml$''',       # Devcontainer configs
  '''tech-repo-scaffold/''',           # Template/scaffold boilerplate
  '''infra/.*\.bicep$''',             # Bicep templates with output expressions
  '''packages/automation/.*\.py$''',   # Migration scripts with placeholder URLs
  '''packages/automation/.*\.md$''',   # Automation documentation
  '''.*STRIPE_.*\.md$''',              # Stripe integration docs
  '''.*CLERK_.*\.md$''',               # Clerk integration docs
  '''.*AUTH_.*\.md$''',                # Auth implementation docs
  '''.*DJANGO_.*\.md$''',              # Django settings guides
  '''content/internal/cupe3906-bylaws-raw\.html$''',  # Scraped HTML with third-party New Relic tracking keys
  '''lib/api-docs/openapi-config\.ts$''',             # API docs with placeholder curl Authorization examples
]

commits = [
  "897a20a39661623fcef2a005542c30a5f3c01e9a",  # seed-staging-full.sql had placeholder-like password (now removed)
]

# Known placeholder patterns used in tests/CI
regexes = [
  '''sk_test_placeholder''',
  '''pk_test_placeholder''',
  '''postgres(ql)?://[^@]+@localhost''',
  '''NEXT_PUBLIC_.*=pk_test_''',
  '''sk_test_xxx''',
  '''pk_test_xxx''',
  '''sk_test_your_\w+''',             # Placeholder keys like sk_test_your_key_here
  '''pk_test_your_\w+''',             # Placeholder keys like pk_test_your_key_here
  '''whsec_configure_this''',         # Placeholder webhook secrets
  '''whsec_\.\.\.''',                 # Truncated placeholder (whsec_...)
  '''password@db:5432''',             # Dev docker-compose DB passwords
  '''devpassword@db''',               # Dev docker-compose passwords
  '''PASSWORD@.*5432''',              # Migration script placeholders
  '''user:pass@host''',               # Example connection strings
  '''user:password@host''',           # Example connection strings
  '''\.replace\(.*whsec_''',          # Code that strips whsec_ prefix (not a secret)
  '''\.startswith\(.*whsec_''',       # Code that checks whsec_ prefix (not a secret)
  '''YOUR_API_KEY''',                 # Placeholder API key in documentation examples
]

# ──────────────────────────────────────
# Custom rules for Nzila-specific secrets
# ──────────────────────────────────────
[[rules]]
id = "nzila-clerk-secret-key"
description = "Clerk secret key (production)"
regex = '''sk_live_[A-Za-z0-9]{20,}'''
tags = ["key", "clerk"]
keywords = ["sk_live_"]

[[rules]]
id = "nzila-azure-keyvault-uri"
description = "Azure Key Vault URI with embedded credentials"
regex = '''https://[a-zA-Z0-9-]+\.vault\.azure\.net.*[?&]sig=[A-Za-z0-9%+/=]{20,}'''
tags = ["key", "azure"]

[[rules]]
id = "nzila-stripe-secret-key"
description = "Stripe secret key"
regex = '''sk_live_[A-Za-z0-9]{20,}'''
tags = ["key", "stripe"]
keywords = ["sk_live_"]

[[rules]]
id = "nzila-stripe-webhook-secret"
description = "Stripe webhook signing secret"
regex = '''whsec_[A-Za-z0-9]{20,}'''
tags = ["key", "stripe"]
keywords = ["whsec_"]

[[rules]]
id = "nzila-database-url-with-password"
description = "Database connection string with embedded password (not localhost)"
regex = '''postgres(ql)?://[^:]+:[^@]+@[^/]+/'''
tags = ["database"]
keywords = ["postgresql://", "postgres://"]

  [rules.allowlist]
  description = "drizzle.config.ts files use env-var fallback with local dev URL — not a real secret"
  paths = ['''drizzle\.config\.ts$''']

[[rules]]
id = "nzila-qbo-client-secret"
description = "QuickBooks Online client secret"
regex = '''QBO_CLIENT_SECRET\s*=\s*["\']?[A-Za-z0-9]{20,}'''
tags = ["key", "quickbooks"]
keywords = ["QBO_CLIENT_SECRET"]