From 74da06c58345ecf8bee9a6001969e59af9752fab Mon Sep 17 00:00:00 2001
From: Charles Danesi <charles@charlesdanesi.net>
Date: Mon, 1 Jun 2026 20:49:24 -0400
Subject: [PATCH] ci: tune gitleaks scan

---
 .gitea/workflows/gitleaks.yml |  2 +-
 .gitleaks.toml                | 27 +++++++++++++--------------
 2 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/gitleaks.yml b/.gitea/workflows/gitleaks.yml
index c0d354c..fe56dfd 100644
--- a/.gitea/workflows/gitleaks.yml
+++ b/.gitea/workflows/gitleaks.yml
@@ -20,4 +20,4 @@ jobs:
           chmod +x gitleaks
 
       - name: Run Gitleaks
-        run: ./gitleaks detect --source . --config .gitleaks.toml --verbose
+        run: ./gitleaks dir . --config .gitleaks.toml --verbose
diff --git a/.gitleaks.toml b/.gitleaks.toml
index 2952cca..0569cbd 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -1,17 +1,26 @@
 title = "Gitleaks Docker Compose CI/CD Config"
 
+[allowlist]
+description = "Ignore sample/example files and placeholders"
+paths = ['''.*\.env\.sample$''', '''.*\.env\.example$''', '''.*example.*''']
+
+regexes = [
+   '''\$\{[A-Za-z0-9_]+\}''',
+   '''(?i)(my-password|my-super-secret-auth-token|super_secret_password|very_sensitive_secret)''',
+]
+
 [[rules]]
 id = "docker-env-password"
 description = "Hardcoded password in docker-compose environment"
-regex = '''(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))\s*[:=]\s*['"]?([^$'{"][^\s'"]{5,})['"]?'''
-secretGroup = 3
+regex = '''(?i)(PASSWORD|PASS|PWD)\s*[:=]\s*['"]?([^$'{"][^\s'"]{5,})['"]?'''
+secretGroup = 2
 tags = ["docker", "compose", "password", "env"]
 
 [[rules]]
 id = "docker-env-secret"
 description = "Hardcoded secret, token, or API key in docker-compose environment"
-regex = '''(?i)([A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY))\s*[:=]\s*['"]?([^$'{"][A-Za-z0-9_\-]{15,})['"]?'''
-secretGroup = 3
+regex = '''(?i)(SECRET|TOKEN|API[_-]?KEY)\s*[:=]\s*['"]?([^$'{"][A-Za-z0-9_\-]{15,})['"]?'''
+secretGroup = 2
 tags = ["docker", "compose", "secret", "env"]
 
 [[rules]]
@@ -25,13 +34,3 @@ id = "private-key"
 description = "Private key detected"
 regex = '''-----BEGIN( RSA| EC| DSA| OPENSSH)? PRIVATE KEY-----'''
 tags = ["key", "pem", "compose"]
-
-[[allowlists]]
-description = "Ignore env templates, examples, comments, and variable substitutions"
-paths = ['''.*\.env\.sample$''', '''.*\.env\.example$''', '''.*example.*''']
-
-regexes = [
-   '''^\s*#''',
-   '''\$\{[A-Za-z0-9_]+\}''',
-   '''(?i)(my-password|my-super-secret-auth-token|super_secret_password|very_sensitive_secret)''',
-]