67 lines
2.1 KiB
TOML
67 lines
2.1 KiB
TOML
title = "CircuitForge secret + PII scanner"
|
|
|
|
[extend]
|
|
useDefault = true # inherit all 150+ built-in gitleaks rules
|
|
|
|
# ── CircuitForge-specific secret patterns ────────────────────────────────────
|
|
|
|
[[rules]]
|
|
id = "cf-generic-env-token"
|
|
description = "Generic KEY=<token> in env-style assignment — catches FORGEJO_API_TOKEN=hex etc."
|
|
regex = '''(?i)(token|secret|key|password|passwd|pwd|api_key)\s*[=:]\s*['"]?[A-Za-z0-9\-_]{20,}['"]?'''
|
|
[rules.allowlist]
|
|
regexes = [
|
|
'api_key:\s*ollama',
|
|
'api_key:\s*any',
|
|
'your-[a-z\-]+-here',
|
|
'replace-with-',
|
|
'xxxx',
|
|
]
|
|
|
|
# ── PII patterns ──────────────────────────────────────────────────────────────
|
|
|
|
[[rules]]
|
|
id = "cf-phone-number"
|
|
description = "US phone number committed in source or config"
|
|
regex = '''\b(\+1[\s\-.]?)?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}\b'''
|
|
[rules.allowlist]
|
|
regexes = [
|
|
'555-\d{4}',
|
|
'555\.\d{4}',
|
|
'5550\d{4}',
|
|
'^1234567890$',
|
|
'0000000000',
|
|
'1111111111',
|
|
'2222222222',
|
|
'9999999999',
|
|
]
|
|
|
|
[[rules]]
|
|
id = "cf-personal-email"
|
|
description = "Personal webmail address committed in source or config (not .example files)"
|
|
regex = '''[a-zA-Z0-9._%+\-]+@(gmail|yahoo|icloud|hotmail|outlook|proton)\.(com|me)'''
|
|
[rules.allowlist]
|
|
paths = [
|
|
'.*\.example$',
|
|
'.*test.*',
|
|
'.*docs/.*',
|
|
'.*\.md$',
|
|
]
|
|
|
|
# ── Global allowlist ──────────────────────────────────────────────────────────
|
|
|
|
[allowlist]
|
|
description = "CircuitForge global allowlist"
|
|
paths = [
|
|
'.*\.example$',
|
|
'docs/reference/.*',
|
|
'gitleaks\.toml$',
|
|
]
|
|
regexes = [
|
|
'sk-abcdefghijklmnopqrstuvwxyz',
|
|
'your-forgejo-api-token-here',
|
|
'your-[a-z\-]+-here',
|
|
# Python private function/variable on RHS — token = _some_func() is not a secret
|
|
'=\s+_[a-z_]{10,}',
|
|
]
|
|
regexTarget = "match"
|