42 lines
1.8 KiB
TOML
42 lines
1.8 KiB
TOML
# gitleaks config — element-x-ada
|
|
#
|
|
# Element X is a Matrix client fork with Cardano ADA integration.
|
|
# Patterns flagged are all public-by-design or doc/test fixtures:
|
|
# - PostHog apiKey: client-side analytics token, public on every PostHog-
|
|
# integrated mobile app. Identifies the project, doesn't grant write.
|
|
# - MapTiler API_KEY: client-side maps token, ships in every release
|
|
# - google-services.json: Firebase config — Google explicitly documents
|
|
# this as public-by-design (all real auth goes through FirebaseAuth)
|
|
# - Segment readKey: client-side write key
|
|
# - user_signing_key in KDoc comments: example values in doc-strings
|
|
# - docs/maps.md + *Test.kt: public MapTiler client-token fixtures
|
|
# - docs/build-logs/ssss-roundtrip-result.md: a DEAD test SSSS key (testbot
|
|
# @testbot-elementx locked 2026-06-27); the broad docs/.* glob was REMOVED
|
|
# because it had hidden this fork-added scratch doc from CI
|
|
|
|
[extend]
|
|
useDefault = true
|
|
|
|
[allowlist]
|
|
description = "Public client keys (PostHog, MapTiler, Firebase, Segment) + docs + test fixtures"
|
|
paths = [
|
|
'''docs/maps\.md''',
|
|
'''docs/build-logs/ssss-roundtrip-result\.md''',
|
|
'''.*/google-services\.json''',
|
|
'''.*Test\.kt''',
|
|
'''localazy\.json''',
|
|
'''tools/localazy/.*''',
|
|
]
|
|
regexTarget = "line"
|
|
regexes = [
|
|
# PostHog client keys — match any variable name ending in apiKey
|
|
'''[a-zA-Z]*[Aa]piKey\s*=\s*"phc_[A-Za-z0-9_-]{20,}"''',
|
|
# MapTiler / similar public client keys named API_KEY constant
|
|
'''const\s+val\s+API_KEY\s*=\s*"''',
|
|
# Segment write keys (Kotlin style)
|
|
'''readKey\s*=\s*"''',
|
|
# Localazy / Segment readKey (JSON style)
|
|
'''"readKey"\s*:\s*"''',
|
|
# Matrix protocol KDoc examples (* prefix is the KDoc comment shape)
|
|
'''^\s*\*\s*"user_signing_key"\s*:\s*"''',
|
|
]
|