From 6fa52e13da193c19298ce322b10597ee366dbe0f Mon Sep 17 00:00:00 2001
From: Charles Danesi <charles@charlesdanesi.net>
Date: Mon, 1 Jun 2026 20:46:07 -0400
Subject: [PATCH] ci: tune gitleaks rules

---
 .gitleaks.toml | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/.gitleaks.toml b/.gitleaks.toml
index 89a038d..2952cca 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -2,28 +2,36 @@ title = "Gitleaks Docker Compose CI/CD Config"
 
 [[rules]]
 id = "docker-env-password"
-description = "Possible password in docker-compose environment"
-regex = "(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))[=:]\\s*['\"]?[A-Za-z0-9!@#$%^&*()_+={}\\[\\]:;,.<>?~-]{6,}['\"]?"
+description = "Hardcoded password in docker-compose environment"
+regex = '''(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))\s*[:=]\s*['"]?([^$'{"][^\s'"]{5,})['"]?'''
+secretGroup = 3
 tags = ["docker", "compose", "password", "env"]
 
 [[rules]]
 id = "docker-env-secret"
-description = "Generic secret or token in docker-compose environment"
-regex = "(?i)(SECRET|TOKEN|API[_-]?KEY)[=:]\\s*['\"]?[A-Za-z0-9_\\-]{16,}['\"]?"
+description = "Hardcoded secret, token, or API key in docker-compose environment"
+regex = '''(?i)([A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY))\s*[:=]\s*['"]?([^$'{"][A-Za-z0-9_\-]{15,})['"]?'''
+secretGroup = 3
 tags = ["docker", "compose", "secret", "env"]
 
 [[rules]]
 id = "aws-credentials"
 description = "AWS Access Key or Secret"
-regex = "(AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\\s*[:=]\\s*[A-Za-z0-9/+=]{40})"
+regex = '''AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\s*[:=]\s*[A-Za-z0-9/+=]{40}'''
 tags = ["aws", "compose", "credentials"]
 
 [[rules]]
 id = "private-key"
 description = "Private key detected"
-regex = "-----BEGIN( RSA| EC| DSA)? PRIVATE KEY-----"
+regex = '''-----BEGIN( RSA| EC| DSA| OPENSSH)? PRIVATE KEY-----'''
 tags = ["key", "pem", "compose"]
 
 [[allowlists]]
-description = "Ignore example and sample env files"
+description = "Ignore env templates, examples, comments, and variable substitutions"
 paths = ['''.*\.env\.sample$''', '''.*\.env\.example$''', '''.*example.*''']
+
+regexes = [
+   '''^\s*#''',
+   '''\$\{[A-Za-z0-9_]+\}''',
+   '''(?i)(my-password|my-super-secret-auth-token|super_secret_password|very_sensitive_secret)''',
+]