# Gitleaks Configuration
# https://github.com/gitleaks/gitleaks

title = "Payload CMS Gitleaks Config"

[extend]
# Extend the default gitleaks config
useDefault = true

# Pfade die ignoriert werden sollen
[allowlist]
paths = [
    '''node_modules/''',
    '''\.next/''',
    '''dist/''',
    '''coverage/''',
    '''\.pnpm/''',
    '''pnpm-lock\.yaml''',
    '''package-lock\.json''',
    '''\.env\.example''',
    '''\.env\.sample''',
    '''docs/.*\.md''',
]

# Regexes die ignoriert werden sollen (für Test-Daten etc.)
regexes = [
    '''example\.com''',
    '''test@test\.com''',
    '''dummy''',
    '''placeholder''',
]

# Commits die ignoriert werden sollen
commits = []

# Zusätzliche Regeln
[[rules]]
id = "payload-secret"
description = "Payload Secret"
regex = '''PAYLOAD_SECRET\s*=\s*['\"]?[a-zA-Z0-9_-]{20,}['\"]?'''
tags = ["secret", "payload"]

[[rules]]
id = "smtp-password"
description = "SMTP Password in config"
regex = '''smtp[_-]?pass(?:word)?\s*[:=]\s*['\"][^'\"]+['\"]'''
tags = ["secret", "smtp"]

[[rules]]
id = "database-url"
description = "Database URL with credentials"
regex = '''(?i)(postgres|mysql|mongodb|redis)://[^:]+:[^@]+@'''
tags = ["secret", "database"]

# Stopwords die einen Match verhindern
[[rules]]
id = "false-positive-example"
description = "Example values that are not secrets"
regex = '''(example|sample|dummy|placeholder|YOUR_[A-Z_]+_HERE)'''
allowlist = { regexes = ['''.*'''] }