commit db064f3ea569a932b65c7a391f7d8047f0169ba9 Author: pyr0ball Date: Sat Mar 7 12:33:46 2026 -0800 feat: add shared gitleaks config with CF secret + PII rules diff --git a/gitleaks.toml b/gitleaks.toml new file mode 100644 index 0000000..ac69c23 --- /dev/null +++ b/gitleaks.toml @@ -0,0 +1,64 @@ +title = "CircuitForge secret + PII scanner" + +[extend] +useDefault = true # inherit all 150+ built-in gitleaks rules + +# ── CircuitForge-specific secret patterns ──────────────────────────────────── + +[[rules]] +id = "cf-generic-env-token" +description = "Generic KEY= in env-style assignment — catches FORGEJO_API_TOKEN=hex etc." +regex = '''(?i)(token|secret|key|password|passwd|pwd|api_key)\s*[=:]\s*['"]?[A-Za-z0-9\-_]{20,}['"]?''' +[rules.allowlist] +regexes = [ + 'api_key:\s*ollama', + 'api_key:\s*any', + 'your-[a-z\-]+-here', + 'replace-with-', + 'xxxx', +] + +# ── PII patterns ────────────────────────────────────────────────────────────── + +[[rules]] +id = "cf-phone-number" +description = "US phone number committed in source or config" +regex = '''\b(\+1[\s\-.]?)?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}\b''' +[rules.allowlist] +regexes = [ + '555-\d{4}', + '555\.\d{4}', + '5550\d{4}', + '^1234567890$', + '0000000000', + '1111111111', + '2222222222', + '9999999999', +] + +[[rules]] +id = "cf-personal-email" +description = "Personal webmail address committed in source or config (not .example files)" +regex = '''[a-zA-Z0-9._%+\-]+@(gmail|yahoo|icloud|hotmail|outlook|proton)\.(com|me)''' +[rules.allowlist] +paths = [ + '.*\.example$', + '.*test.*', + '.*docs/.*', + '.*\.md$', +] + +# ── Global allowlist ────────────────────────────────────────────────────────── + +[allowlist] +description = "CircuitForge global allowlist" +paths = [ + '.*\.example$', + 'docs/reference/.*', + 'gitleaks\.toml$', +] +regexes = [ + 'sk-abcdefghijklmnopqrstuvwxyz', + 'your-forgejo-api-token-here', + 'your-[a-z\-]+-here', +]