# Gitleaks configuration for NAS Tools # Whitelist rules for known-safe patterns in tests, docs, and CI configs [allowlist] description = "Known safe patterns in test fixtures and CI configuration" # Test secrets / example values used in CI and conftest [[allowlist.rules]] id = "generic-api-key" description = "Test SECRET_KEY in CI env and conftest" regexes = [ '''test-secret-key-for-ci-environment''', '''test-secret-key-for-testing''', '''os\.environ\.setdefault\(["']SECRET_KEY''', '''SECRET_KEY: \$\{SECRET_KEY\}''', '''SECRET_KEY=\$\{SECRET_KEY\}''', ] # Telegram test tokens (empty or placeholder) [[allowlist.rules]] id = "telegram-bot-token" description = "Placeholder Telegram tokens in CI config" regexes = [ '''TELEGRAM_BOT_TOKEN:-''', '''TELEGRAM_BOT_TOKEN=\$\{TELEGRAM_BOT_TOKEN''', ] # Transmission test creds [[allowlist.rules]] id = "transmission-credentials" description = "Test Transmission credentials in conftest" regexes = [ '''TRANSMISSION_USER.*test-tx''', '''TRANSMISSION_PASS.*test-tx''', ] # SMTP test config [[allowlist.rules]] id = "smtp-credentials" description = "SMTP env var references (not actual secrets)" regexes = [ '''SMTP_USER\s*=\s*os\.getenv''', '''SMTP_PASSWORD\s*=\s*os\.getenv''', '''SMTP_TO\s*=\s*os\.getenv''', ] # Gitea token env var references [[allowlist.rules]] id = "gitea-token" description = "Gitea token env var references" regexes = [ '''GITEA_TOKEN\s*=\s*os\.getenv''', '''GITEA_TOKEN=\$\{GITEA_TOKEN\}''', '''GITEA_TOKEN: \$\{GITEA_TOKEN\}''', ] # Admin password hash env var reference [[allowlist.rules]] id = "admin-password-hash" description = "Admin password hash env var references" regexes = [ '''ADMIN_PASSWORD_HASH\s*=\s*os\.getenv''', '''ADMIN_PASSWORD_HASH=\$\{ADMIN_PASSWORD_HASH\}''', '''ADMIN_PASSWORD_HASH: \$\{ADMIN_PASSWORD_HASH\}''', ]