.gitleaks.toml

@@ -1,25 +1,19 @@
-# Gitleaks configuration file
-# This file configures gitleaks to ignore known false positives
-
-title = "PunimTag Gitleaks Configuration"
+# Homelab bootstrap — gitleaks allowlist (tests, examples, placeholders)
+title = "homelab gitea bootstrap"
 
 [allowlist]
-description = "Allowlist for known false positives and test files"
-
-# Ignore demo photos directory (contains sample/test HTML files)
+description = "Test fixtures and example configs are not production secrets"
 paths = [
-  '''demo_photos/.*''',
+  '''(?i).*\.test\.(ts|tsx|js|jsx|py)$''',
+  '''(?i).*\.spec\.(ts|tsx|js|jsx)$''',
+  '''(?i).*/tests/.*''',
+  '''(?i).*/__tests__/.*''',
+  '''(?i).*\.example\.(yml|yaml|env|json|toml)$''',
+  '''(?i).*vault\.example\.(yml|yaml)$''',
+  '''(?i).*\.env\.example$''',
 ]
-
-# Ignore specific commits that contain known false positives
-# These are test tokens or sample files, not real secrets
-commits = [
-  "77ffbdcc5041cd732bfcbc00ba513bccb87cfe96",  # test_api_auth.py expired_token test
-  "d300eb1122d12ffb2cdc3fab6dada520b53c20da",  # demo_photos/imgres.html sample file
-]
-
-# Allowlist specific regex patterns for test files
 regexes = [
-  '''tests/test_api_auth.py.*expired_token.*eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTYwOTQ1NjgwMH0\.invalid''',
+  '''(?i)(invalid|fake|dummy|placeholder|example|changeme|change_me|not-a-real)''',
+  '''(?i)sk-or-invalid''',
+  '''(?i)msk-or-invalid''',
 ]
-