# Gitleaks configuration
# https://github.com/gitleaks/gitleaks

title = "NORA gitleaks rules"

# Internal infrastructure — private IPs and domains
[[rules]]
  id = "private-network"
  description = "Private network addresses and internal domains"
  regex = '''(10\.25\.1\.\d+|10\.0\.\d+\.\d+)'''
  tags = ["network"]
  [rules.allowlist]
    regexTarget = "match"
    regexes = ['''10\.0\.0\.0''']

[[rules]]
  id = "internal-domains"
  description = "Internal domain names"
  regex = '''[a-z0-9]+\.(lab|internal|local)\b'''
  tags = ["network"]

[[rules]]
  id = "tailscale-hostnames"
  description = "Tailscale MagicDNS hostnames"
  regex = '''[a-z0-9]+\.tail[a-z0-9]+\.ts\.net'''
  tags = ["network"]

[allowlist]
  description = "Allowlist for false positives"
  paths = [
    '''\.gitleaks\.toml$''',
    '''\.gitignore$''',
  ]