Fix gitleaks security configuration issues

mithro · claude · mithro · commit 86d90eb7f965 · 2025-11-14T11:05:37.000+10:30
Improved gitleaks configuration based on code review feedback: 1. Database password allowlist - Changed from broad pattern that would match any string containing 'postgres' to specific pattern that only matches literal 'postgres' password in connection strings (postgres://user:postgres@host) 2. Django SECRET_KEY detection - Added allowlist to existing rule for env() calls and get_random_secret_key() generator. Added new rule 'django-secret-key-in-default' to detect hardcoded secrets in env() default parameters. 3. Path allowlisting - Removed overly broad directory allowlists: - tests/ (should validate actual secret content) - .github/workflows/ (CI credentials need validation) - config/settings/base.py (settings files need validation) - deployment/scripts/ (deployment scripts need validation) These changes improve secret detection accuracy by being more specific in allowlists and removing blanket directory exclusions. Addresses code review feedback from CodeRabbit and Claude bot on PR #42. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -10,14 +10,10 @@ paths = [
     '''\.env\.example$''',              # Template files are safe
     '''\.env\.production\.template$''', # Production template is safe
     '''docs/''',                         # Documentation files
-    '''tests/''',                        # All test files with fake OAuth secrets
-    '''\.github/workflows/''',           # CI configuration with test database credentials
-    '''config/settings/base\.py$''',     # Base settings with dev defaults and admin emails
     '''\.venv/''',                       # Virtual environment
     '''\.worktrees/''',                  # Git worktrees
     '''node_modules/''',                 # Node modules
     '''staticfiles/''',                  # Collected static files
-    '''deployment/scripts/''',           # Deployment scripts manage secrets safely
 ]
 
 # Common patterns for test files with fake credentials
@@ -35,9 +31,20 @@ regexes = [
 # Custom rules for Django/OAuth specific secrets
 [[rules]]
 id = "django-secret-key"
-description = "Django SECRET_KEY"
+description = "Django SECRET_KEY in assignment"
 regex = '''(?i)SECRET_KEY\s*=\s*['"][^'"]{40,}['"]'''
 tags = ["django", "secret"]
+[rules.allowlist]
+regexes = [
+    '''env\(''',  # Allow env() calls - secrets loaded from environment
+    '''get_random_secret_key\(''',  # Allow Django's random secret key generator
+]
+
+[[rules]]
+id = "django-secret-key-in-default"
+description = "Django SECRET_KEY in env() default parameter"
+regex = '''env\([^,]+,\s*default\s*=\s*['"][^'"]{40,}['"]'''
+tags = ["django", "secret"]
 
 [[rules]]
 id = "oauth-client-secret"
@@ -67,7 +74,7 @@ regex = '''postgres://[^:]+:([^@]{8,})@'''
 tags = ["database", "password"]
 [rules.allowlist]
 regexes = [
-    '''postgres''',  # Allow 'postgres' as password in dev/test
+    '''postgres://[^:]+:postgres@''',  # Allow literal 'postgres' password only
 ]
 
 [[rules]]
