Skip to content

Gitleaks rules


BoostSecurity extend the default Gitleaks rule set with Boost managed rules.


Extending Gitleaks rules


When you are configuring a custom Gitleaks rule set, you can either specify an entire rule set or use the Gitleaks extend feature. There are a few reasons you may want to extend the default Gitleaks rules:

  1. Add new detection rules.
  2. Extend an existing rule.
  3. Make a rule more strict (i.e., remove false positive).

The Gitleaks configuration documentation shows how to extend the configuration to address any of those cases.

title = "Custom Gitleaks configuration"

[extend]
useDefault = true

# Define rules here

Note

Configuration of GitLeaks custom rules overrides any Boost managed rules. If you want to benefit from Boost managed rules you will need to include them in your custom configuration.


Secrets Validity


BoostSecurity will test the secrets validity against any of the following public services. Note that, if corresponding Gitleaks rules are disabled in BoostSecurity Policy, secret validity will not be checked even if its a supported service.

SaaS Gitleaks rule
Asana - asana-client-secret
Datadog - datadog-access-token
Dropbox - dropbox-api-token
- dropbox-long-lived-api-token
- dropbox-short-lived-api-token
Facebook - facebook-access-token
- facebook-page-access-token
- facebook-secret
GitHub - github-app-token
- github-fine-grained-pat
- github-pat
- github-refresh-token
GitLab - gitlab-pat
Heroku - heroku-api-key
Hubspot - hubspot-api-key
Mailgun - mailgun-private-api-token
Sendgrid - sendgrid-api-token
Slack - slack-app-token
- slack-bot-token
- slack-config-access-token
- slack-config-refresh-token
- slack-legacy-bot-token
- slack-legacy-token
- slack-legacy-workspace-token
- slack-user-token
- slack-webhook-url
Square - square-access-token
Stripe - stripe-access-token
Telegram - telegram-bot-api-token
Twitter - twitter-bearer-token
- twitter-access-token