blob: a77c13a9b16b81b33c2fa2879824cd7d3a2aa627 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
# Options Ref:
# https://github.com/gitleaks/gitleaks#configuration
[extend]
# useDefault will extend the base configuration with the default gitleaks config:
# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
useDefault = true
[allowlist]
description = "Global allow list"
paths = [
'''^\.gitleaks.toml''',
'''^\.gitleaks/baseline\.json''',
'''^\.github/workflows/scan-secrets\.yml'''
]
# Any ENCRYPTED[blahblahblah] entries are only valid from a Cirrus-CI
# execution context, but may appear in any file loadable by a starlark
# script. Though the actual strings are repo-specific and useless elsewhere.
# This check is here simply to raise red-flags on new definitions or movements
# of existing values. Operationally, the actual leak-risk is only present
# after Cirrus-CI decodes the value.
[[rules]]
id = "cirrus-ci_config-secrets"
description = "Cirrus-CI Configuration Secret ID"
regex = '''ENCRYPTED[\[][a-fA-F0-9]+\]'''
# Any *_credentials items in .cirrus.yml should not appear in any other context.
# Though Cirrus-CI restricts decoding of these values, this check is here to
# raise red-flags on any new definitions or movements.
[[rules]]
id = "cirrus-ci_cloud-credentials"
description = "Cirrus-CI Cloud service-account credentials"
regex = '''(gcp|aws)_credentials'''
# Changes to the scanning workflow trigger could be used to superficialy mask a negative result.
[[rules]]
id = "scan-secrets_trigger"
description = "PR trigger change to secret-scanning workflow"
regex = '''pull_request:'''
path = '''.github/workflows/scan-secrets.yml'''
##### Podman Repo. specific items #####
[[rules]]
id = "podman_envar_credentials"
# From .cirrus.yml
description = "Service-account and other credentials with limited/specific and restricted access."
regex = '''GCPJSON|GCPNAME|AWSINI|GCPPROJECT'''
[[rules]]
id = "podman_github-action_secrets"
description = "Managed secrets for github-action workflows."
# From https://github.com/containers/podman/settings/secrets/actions
regex = '''SECRET_CIRRUS_API_KEY|ACTION_MAIL_.+|AZ_.+|MACOS_.+|QUAY_PODMAN_.+'''
|
