Gitleaks rules¶
Out of the box, BoostSecurity uses the Gitleaks default rule set
Extending Gitleaks rules¶
When you are configuring a custom Gitleaks rule set, you can either specify an entire rule set or use the Gitleaks extend feature. There are a few reasons you may want to extend the default Gitleaks rules:
- Add new detection rules.
- Extend an existing rule.
- Make a rule more strict (i.e., remove false positive).
The Gitleaks configuration documentation shows how to extend the configuration to address any of those cases.
Secrets Validity¶
BoostSecurity will test the secrets validity against any of the following public services. Note that, if corresponding Gitleaks rules are disabled in BoostSecurity Policy, secret validity will not be checked even if its a supported service.
| SaaS | Gitleaks rule |
|---|---|
| Asana | - asana-client-secret |
| Datadog | - datadog-access-token |
| Dropbox | - dropbox-api-token - dropbox-long-lived-api-token - dropbox-short-lived-api-token |
| - facebook-access-token - facebook-page-access-token - facebook-secret |
|
| GitHub | - github-app-token - github-fine-grained-pat - github-pat - github-refresh-token |
| GitLab | - gitlab-pat |
| Heroku | - heroku-api-key |
| Hubspot | - hubspot-api-key |
| Mailgun | - mailgun-private-api-token |
| Sendgrid | - sendgrid-api-token |
| Slack | - slack-app-token - slack-bot-token - slack-config-access-token - slack-config-refresh-token - slack-legacy-bot-token - slack-legacy-token - slack-legacy-workspace-token - slack-user-token - slack-webhook-url |
| Square | - square-access-token |
| Stripe | - stripe-access-token |
| Telegram | - telegram-bot-api-token |
| - twitter-bearer-token - twitter-access-token |