mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-17 16:07:40 +01:00
07afa94d19
Add three layers of secret leak prevention: 1. .gitleaks.toml — config extending the default ruleset (~150 rules for AWS, GCP, Stripe, OpenAI, private keys, JWTs, etc.) with allowlists tuned to suppress false positives from test fixtures and docs. 2. .husky/pre-commit — enhanced with gitleaks protect --staged (graceful skip if not installed), sensitive file type blocking (.pem, .key, .enc, id_rsa, etc.), and broadened fallback patterns covering AWS, OpenAI, GCP, and private key headers alongside existing Stripe checks. 3. .github/workflows/build-and-test.yml — new secret-scan CI job using gitleaks-action that runs in parallel with build on every push/PR, serving as the last gate if someone bypasses local hooks.
35 lines
1.1 KiB
TOML
35 lines
1.1 KiB
TOML
# Gitleaks configuration for Pulse
|
|
# https://github.com/gitleaks/gitleaks
|
|
#
|
|
# Extends the default ruleset (AWS, GCP, Stripe, OpenAI, private keys, etc.)
|
|
# with allowlists to suppress false positives from test fixtures, docs, and templates.
|
|
|
|
[extend]
|
|
useDefault = true
|
|
|
|
[allowlist]
|
|
paths = [
|
|
# Template/example files with placeholder credentials
|
|
'''\.env\.example$''',
|
|
'''mock\.env$''',
|
|
# Test files use fake tokens, keys, and credentials throughout
|
|
'''_test\.go$''',
|
|
'''_test\.ts$''',
|
|
'''tests/integration/''',
|
|
# tmp/ is gitignored but shows up in --no-git scans
|
|
'''^tmp/''',
|
|
]
|
|
regexTarget = "match"
|
|
regexes = [
|
|
# PULSE_LICENSE_PUBLIC_KEY is an env var name, not a secret value
|
|
'''PULSE_LICENSE_PUBLIC_KEY''',
|
|
# Documentation placeholder tokens in curl examples
|
|
'''your-token''',
|
|
'''your-api-token''',
|
|
'''your-original-token''',
|
|
# Dev credentials documented in CLAUDE.md and scripts (admin:admin)
|
|
'''admin:admin''',
|
|
# E2E test bootstrap token (deterministic, not a real secret)
|
|
'''0123456789abcdef''',
|
|
]
|