chore 📦: Update Gitleaks configuration and README

Add `--config-path .gitleaks.toml` to pr-check.yaml and create a new `.gitleaks.toml` file with allowlist and rules for security scanning. Rename 'API utilities' to 'Utilities' in the README.md table.
2026-02-14 10:01:44 +01:00
parent e21f9bd002
commit c9a6f0e092
3 changed files with 32 additions and 1 deletions
--- a/.gitea/workflows/pr-check.yaml
+++ b/.gitea/workflows/pr-check.yaml
@@ -26,6 +26,7 @@ jobs:
      - name: Run Gitleaks
        run: |
          gitleaks dir . \
+            --config-path .gitleaks.toml \
            --redact=10 \
            --verbose \
            --exit-code 1
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -0,0 +1,30 @@
+title = "Gitleaks Config"
+
+# ==========================
+# Allowlist / False Positive Rules
+# ==========================
+# [[allowlist]]
+# description = "Ignore placeholder secrets in README.md"
+# filepath = "README.md"
+# # Add all placeholder-like patterns that trigger false positives
+# regex = "cafebabe|deadbeef|DB_PASSWORD"
+
+[[allowlist]]
+description = "Ignore badge URLs in README"
+filepath = "README.md"
+regex = "https://img.shields.io"
+
+# ==========================
+# Rules
+# ==========================
+[[rules]]
+id = "generic-api-key"
+description = "Generic API Key"
+regex = "(?i)(api[_-]?key|secret|token)=\\S+"
+entropy = 3.5
+
+[[rules]]
+id = "sidekiq-secret"
+description = "Sidekiq Secret"
+regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+"
+entropy = 2.5
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@
 | Swap handling            |  ✅   |  ✅   |  ✅   |
 | Logrotate protection     |  ✅   |  ✅   |  ✅   |
 | Powertop auto-tune       |  ✅   |  ✅   |  ✅   |
-| API utilities            |  ✅   |  ✅   |  ✅   |
+| Utilities                |  ✅   |  ✅   |  ✅   |

 ## 📂 Directory Structure