Skip to content

Gitleaks rules


Out of the box, BoostSecurity uses the Gitleaks default rule set


Extending Gitleaks rules


When you are configuring a custom Gitleaks rule set, you can either specify an entire rule set or use the Gitleaks extend feature. There are a few reasons you may want to extend the default Gitleaks rules:

  1. Add new detection rules.
  2. Extend an existing rule.
  3. Make a rule more strict (i.e., remove false positive).

The Gitleaks configuration documentation shows how to extend the configuration to address any of those cases.


Secrets Validity


BoostSecurity will test the secrets validity against any of the following public services. Note that, if corresponding Gitleaks rules are disabled in BoostSecurity Policy, secret validity will not be checked even if its a supported service.

SaaS Gitleaks rule
Asana - asana-client-secret
Datadog - datadog-access-token
Dropbox - dropbox-api-token
- dropbox-long-lived-api-token
- dropbox-short-lived-api-token
Facebook - facebook-access-token
- facebook-page-access-token
- facebook-secret
GitHub - github-app-token
- github-fine-grained-pat
- github-pat
- github-refresh-token
GitLab - gitlab-pat
Heroku - heroku-api-key
Hubspot - hubspot-api-key
Mailgun - mailgun-private-api-token
Sendgrid - sendgrid-api-token
Slack - slack-app-token
- slack-bot-token
- slack-config-access-token
- slack-config-refresh-token
- slack-legacy-bot-token
- slack-legacy-token
- slack-legacy-workspace-token
- slack-user-token
- slack-webhook-url
Square - square-access-token
Stripe - stripe-access-token
Telegram - telegram-bot-api-token
Twitter - twitter-bearer-token
- twitter-access-token