diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..3472041 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,22 @@ +# gitleaks config — aldabra +# +# Why: the gitleaks `generic-api-key` rule flags high-entropy hex strings. +# Cardano governance / policy / asset / script identifiers are 28-byte +# blake2b hashes (56 hex chars), which trip the rule even though they are +# public on-chain values — script hashes are derivable from validator +# bytecode that ships in the repo. They are NOT secrets. +# +# Add new allowlist entries here when CI catches more false-positive +# patterns. Real secrets (signing keys, mnemonics, API tokens) still +# trip the rule because their syntactic context (Bech32 prefixes, +# private_key fields, env-var names) doesn't match these regexes. + +[extend] +useDefault = true + +[allowlist] +description = "Cardano gov_token_policy / policy_id IDs are public blake2b script hashes" +regexTarget = "line" +regexes = [ + '''gov_token_policy:\s*"[a-f0-9]{56}"''', +]