# Title for the gitleaks configuration file.

title = "Gitleaks title"

​

# Extend the base (this) configuration. When you extend a configuration

# the base rules take precendence over the extended rules. I.e, if there are

# duplicate rules in both the base configuration and the extended configuration

# the base rules will override the extended rules.

# Another thing to know with extending configurations is you can chain together

# multiple configuration files to a depth of 2. Allowlist arrays are appended

# and can contain duplicates.

# useDefault and path can NOT be used at the same time. Choose one.

[extend]

# useDefault will extend the base configuration with the default gitleaks config:

# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml

useDefault = true

# or you can supply a path to a configuration. Path is relative to where gitleaks

# was invoked, not the location of the base config.

path = "common_config.toml"

​

# An array of tables that contain information that define instructions

# on how to detect secrets

[[rules]]

​

# Unique identifier for this rule

id = "awesome-rule-1"

​

# Short human readable description of the rule.

description = "awesome rule 1"

​

# Golang regular expression used to detect secrets. Note Golang's regex engine

# does not support lookaheads.

regex = '''one-go-style-regex-for-this-rule'''

​

# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used

# in conjunction with a valid `regex` entry.

path = '''a-file-path-regex'''

​

# Array of strings used for metadata and reporting purposes.

tags = ["tag","another tag"]

​

# Int used to extract secret from regex match and used as the group that will have

# its entropy checked if `entropy` is set.

secretGroup = 3

​

# Float representing the minimum shannon entropy a regex group must have to be considered a secret.

entropy = 3.5

​

# Keywords are used for pre-regex check filtering. Rules that contain

# keywords will perform a quick string compare check to make sure the

# keyword(s) are in the content being scanned. Ideally these values should

# either be part of the idenitifer or unique strings specific to the rule's regex

# (introduced in v8.6.0)

keywords = [

  "auth",

  "password",

  "token",

]

​

# You can include an allowlist table for a single rule to reduce false positives or ignore commits

# with known/rotated secrets

[rules.allowlist]

description = "ignore commit A"

commits = [ "commit-A", "commit-B"]

paths = [

  '''go\.mod''',

  '''go\.sum'''

]

regexes = [

  '''process''',

  '''getenv''',

]

# note: stopwords targets the extracted secret, not the entire regex match

# like 'regexes' does. (stopwords introduced in 8.8.0)

stopwords = [

  '''client''',

  '''endpoint''',

]

​

​

# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.

# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no

# secrets will be detected for said commit. The same logic applies for regexes and paths.

[allowlist]

description = "global allow list"

commits = [ "commit-A", "commit-B", "commit-C"]

paths = [

  '''gitleaks\.toml''',

  '''(.*?)(jpg|gif|doc)'''

]

regexes = [

  '''219-09-9999''',

  '''078-05-1120''',

  '''(9[0-9]{2}|666)-\d{2}-\d{4}''',

]

# note: stopwords targets the extracted secret, not the entire regex match

# like 'regexes' does. (stopwords introduced in 8.8.0)

stopwords = [

  '''client''',

  '''endpoint''',

]