title = "Gitleaks Docker Compose CI/CD Config"

[[rules]]
id = "docker-env-password"
description = "Hardcoded password in docker-compose environment"
regex = '''(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))\s*[:=]\s*['"]?([^$'{"][^\s'"]{5,})['"]?'''
secretGroup = 3
tags = ["docker", "compose", "password", "env"]

[[rules]]
id = "docker-env-secret"
description = "Hardcoded secret, token, or API key in docker-compose environment"
regex = '''(?i)([A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY))\s*[:=]\s*['"]?([^$'{"][A-Za-z0-9_\-]{15,})['"]?'''
secretGroup = 3
tags = ["docker", "compose", "secret", "env"]

[[rules]]
id = "aws-credentials"
description = "AWS Access Key or Secret"
regex = '''AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\s*[:=]\s*[A-Za-z0-9/+=]{40}'''
tags = ["aws", "compose", "credentials"]

[[rules]]
id = "private-key"
description = "Private key detected"
regex = '''-----BEGIN( RSA| EC| DSA| OPENSSH)? PRIVATE KEY-----'''
tags = ["key", "pem", "compose"]

[[allowlists]]
description = "Ignore env templates, examples, comments, and variable substitutions"
paths = ['''.*\.env\.sample$''', '''.*\.env\.example$''', '''.*example.*''']

regexes = [
   '''^\s*#''',
   '''\$\{[A-Za-z0-9_]+\}''',
   '''(?i)(my-password|my-super-secret-auth-token|super_secret_password|very_sensitive_secret)''',
]