agent-identity-management/.gitleaks.toml at main · opena2a-org/agent-identity-management · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Gitleaks configuration for AIM
# Detects secrets, crypto keys, PEM material, JWT tokens, and PQC artifacts.

title = "AIM Secret Detection Rules"

[extend]
useDefault = true

[[rules]]
id = "pem-private-key"
description = "PEM-encoded private key"
regex = '''-----BEGIN\s*(RSA|EC|OPENSSH|DSA|ED25519|ENCRYPTED)?\s*PRIVATE KEY-----'''
tags = ["crypto", "key"]

[[rules]]
id = "pem-certificate"
description = "PEM-encoded certificate (may contain embedded key)"
regex = '''-----BEGIN CERTIFICATE-----'''
tags = ["crypto", "cert"]

[[rules]]
id = "jwt-token"
description = "JSON Web Token"
regex = '''eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}'''
tags = ["jwt", "token"]

[[rules]]
id = "jwt-secret-assignment"
description = "Hardcoded JWT secret in source"
regex = '''(?i)(jwt[_-]?secret|signing[_-]?key)\s*[:=]\s*["'][^"']{8,}["']'''
tags = ["jwt", "secret"]

[[rules]]
id = "aes-key-hex"
description = "Potential AES key (32+ hex chars)"
regex = '''(?i)(aes[_-]?key|encryption[_-]?key|master[_-]?key)\s*[:=]\s*["'][0-9a-fA-F]{32,}["']'''
tags = ["crypto", "key"]

[[rules]]
id = "pqc-private-material"
description = "PQC/ML-DSA private key material"
regex = '''(?i)(dilithium|mldsa|kyber|mlkem)[_-]?(private|secret|priv|sk)\s*[:=]'''
tags = ["crypto", "pqc"]

[[rules]]
id = "database-password"
description = "Database connection with password"
regex = '''(?i)(postgres|mysql|mongodb)://[^:]+:[^@\s]{8,}@'''
tags = ["database", "credential"]

[[rules]]
id = "api-key-generic"
description = "Generic API key assignment"
regex = '''(?i)(api[_-]?key|apikey|secret[_-]?key)\s*[:=]\s*["'][A-Za-z0-9_\-]{20,}["']'''
tags = ["api", "key"]

[[rules]]
id = "bcrypt-hash"
description = "Bcrypt hash (potential hardcoded password hash)"
regex = '''\$2[aby]?\$[0-9]{2}\$[./A-Za-z0-9]{53}'''
tags = ["password", "hash"]

[allowlist]
description = "Global allowlist"
# False positives: Java SDK constructor param validation, TS test fixtures
commits = [
  "5c51070d3c86add39fbbf421912fe4bcc4ea079f",
  "73ef4dabbd3598d785fc06eb6e2f98ea41a27196",
]
paths = [
  '''(.*/)?_test\.go$''',
  '''(.*/)?test_.*\.py$''',
  '''(.*/)?testdata/.*$''',
  '''(.*/)?test/.*$''',
  '''(.*/)?tests/.*$''',
  '''(.*/)?fixtures/.*$''',
  '''(.*/)?examples/.*$''',
  '''(.*/)?docs/.*$''',
  '''(.*/)?migrations/.*$''',
  '''(.*/)?sdk.*/test.*$''',
  '''(.*/)?sdk/.*\.test\.(ts|js)$''',
  '''(.*/)?sdk/.*\.integration\.test\.(ts|js)$''',
  '''(.*/)?sdks/.*test.*$''',
  '''(.*/)?scripts/.*$''',
  '''\.gitleaks\.toml$''',
  '''go\.sum$''',
  '''package-lock\.json$''',
]
# did:key identifiers are public keys (not secrets) used in cross-engine interop verification
regexes = [
  '''did:key:z6Mk[A-Za-z0-9]+''',
]