38 lines
1.5 KiB
TOML
38 lines
1.5 KiB
TOML
# gitleaks config — element-x-ada
|
|
#
|
|
# Element X is a Matrix client fork with Cardano ADA integration.
|
|
# Patterns flagged are all public-by-design or doc/test fixtures:
|
|
# - PostHog apiKey: client-side analytics token, public on every PostHog-
|
|
# integrated mobile app. Identifies the project, doesn't grant write.
|
|
# - MapTiler API_KEY: client-side maps token, ships in every release
|
|
# - google-services.json: Firebase config — Google explicitly documents
|
|
# this as public-by-design (all real auth goes through FirebaseAuth)
|
|
# - Segment readKey: client-side write key
|
|
# - user_signing_key in KDoc comments: example values in doc-strings
|
|
# - docs/ + *Test.kt files: scratch + test fixtures, never live credentials
|
|
|
|
[extend]
|
|
useDefault = true
|
|
|
|
[allowlist]
|
|
description = "Public client keys (PostHog, MapTiler, Firebase, Segment) + docs + test fixtures"
|
|
paths = [
|
|
'''docs/.*''',
|
|
'''.*/google-services\.json''',
|
|
'''.*Test\.kt''',
|
|
'''localazy\.json''',
|
|
'''tools/localazy/.*''',
|
|
]
|
|
regexTarget = "line"
|
|
regexes = [
|
|
# PostHog client keys — match any variable name ending in apiKey
|
|
'''[a-zA-Z]*[Aa]piKey\s*=\s*"phc_[A-Za-z0-9_-]{20,}"''',
|
|
# MapTiler / similar public client keys named API_KEY constant
|
|
'''const\s+val\s+API_KEY\s*=\s*"''',
|
|
# Segment write keys (Kotlin style)
|
|
'''readKey\s*=\s*"''',
|
|
# Localazy / Segment readKey (JSON style)
|
|
'''"readKey"\s*:\s*"''',
|
|
# Matrix protocol KDoc examples (* prefix is the KDoc comment shape)
|
|
'''^\s*\*\s*"user_signing_key"\s*:\s*"''',
|
|
]
|