Gitleaks rules¶
BoostSecurity extend the default Gitleaks rule set with Boost managed rules.
Extending Gitleaks rules¶
When you are configuring a custom Gitleaks rule set, you can either specify an entire rule set or use the Gitleaks extend feature. There are a few reasons you may want to extend the default Gitleaks rules:
- Add new detection rules.
- Extend an existing rule.
- Make a rule more strict (i.e., remove false positive).
The Gitleaks configuration documentation shows how to extend the configuration to address any of those cases.
title = "Custom Gitleaks configuration"
[extend]
useDefault = true
# Define rules here
Note
Configuration of GitLeaks custom rules overrides any Boost managed rules. If you want to benefit from Boost managed rules you will need to include them in your custom configuration.
Secrets Validity¶
BoostSecurity will test the secrets validity against any of the following public services. Note that, if corresponding Gitleaks rules are disabled in BoostSecurity Policy, secret validity will not be checked even if its a supported service.
| SaaS | Gitleaks rule |
|---|---|
| Asana | - asana-client-secret |
| Datadog | - datadog-access-token |
| Dropbox | - dropbox-api-token - dropbox-long-lived-api-token - dropbox-short-lived-api-token |
| - facebook-access-token - facebook-page-access-token - facebook-secret |
|
| GitHub | - github-app-token - github-fine-grained-pat - github-pat - github-refresh-token |
| GitLab | - gitlab-pat |
| Heroku | - heroku-api-key |
| Hubspot | - hubspot-api-key |
| Mailgun | - mailgun-private-api-token |
| Sendgrid | - sendgrid-api-token |
| Slack | - slack-app-token - slack-bot-token - slack-config-access-token - slack-config-refresh-token - slack-legacy-bot-token - slack-legacy-token - slack-legacy-workspace-token - slack-user-token - slack-webhook-url |
| Square | - square-access-token |
| Stripe | - stripe-access-token |
| Telegram | - telegram-bot-api-token |
| - twitter-bearer-token - twitter-access-token |