From ec5e992beb84b0ab65f7a696ceffd62569aacb0f Mon Sep 17 00:00:00 2001
From: Charles Danesi <charles@charlesdanesi.net>
Date: Wed, 3 Jun 2026 18:18:22 -0400
Subject: [PATCH] ci: prevent multiline gitleaks false positives

---
 .gitleaks.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitleaks.toml b/.gitleaks.toml
index 7259ada..ffc7d00 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -12,14 +12,14 @@ regexes = [
 [[rules]]
 id = "docker-env-password"
 description = "Hardcoded password in docker-compose environment"
-regex = '''(?i)(PASSWORD|PASS|PWD)\s*[:=]\s*['"]?([A-Za-z0-9!@#%^&+=.,_~/-]{8,})['"]?'''
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(PASSWORD|PASS|PWD)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9!@#%^&+=.,_~/-]{7,})['"]?\s*(?:#.*)?$'''
 secretGroup = 2
 tags = ["docker", "compose", "password", "env"]
 
 [[rules]]
 id = "docker-env-secret"
 description = "Hardcoded secret, token, or API key in docker-compose environment"
-regex = '''(?i)(SECRET|TOKEN|API[_-]?KEY)\s*[:=]\s*['"]?([A-Za-z0-9_\-]{20,})['"]?'''
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9_\-]{19,})['"]?\s*(?:#.*)?$'''
 secretGroup = 2
 tags = ["docker", "compose", "secret", "env"]