ci: prevent multiline gitleaks false positives

ci: tighten gitleaks compose rules
2026-06-03 18:18:22 -04:00 · 2026-06-03 18:16:54 -04:00
1 changed files with 2 additions and 2 deletions
@@ -12,14 +12,14 @@ regexes = [
 [[rules]]
 id = "docker-env-password"
 description = "Hardcoded password in docker-compose environment"
-regex = '''(?i)(PASSWORD|PASS|PWD)\s*[:=]\s*['"]?([^$'{"][^\s'"]{5,})['"]?'''
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(PASSWORD|PASS|PWD)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9!@#%^&+=.,_~/-]{7,})['"]?\s*(?:#.*)?$'''
 secretGroup = 2
 tags = ["docker", "compose", "password", "env"]

 [[rules]]
 id = "docker-env-secret"
 description = "Hardcoded secret, token, or API key in docker-compose environment"
-regex = '''(?i)(SECRET|TOKEN|API[_-]?KEY)\s*[:=]\s*['"]?([^$'{"][A-Za-z0-9_\-]{15,})['"]?'''
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9_\-]{19,})['"]?\s*(?:#.*)?$'''
 secretGroup = 2
 tags = ["docker", "compose", "secret", "env"]
Author	SHA1	Message	Date
cdanesi	ec5e992beb	ci: prevent multiline gitleaks false positives Gitleaks / gitleaks (push) Successful in 5s Details	2026-06-03 18:18:22 -04:00
cdanesi	f057648ce2	ci: tighten gitleaks compose rules Gitleaks / gitleaks (push) Failing after 5s Details	2026-06-03 18:16:54 -04:00