31 lines
1.2 KiB
INI
31 lines
1.2 KiB
INI
# detect-secrets exclusion patterns (regex)
|
|
#
|
|
# Note: detect-secrets does not read this file by default. If you want these
|
|
# applied, wire them into your scan command (e.g. translate to --exclude-files
|
|
# / --exclude-lines) or into a baseline's filters_used.
|
|
|
|
[exclude-files]
|
|
# pnpm lockfiles contain lots of high-entropy package integrity blobs.
|
|
pattern = (^|/)pnpm-lock\.yaml$
|
|
# Generated output and vendored assets.
|
|
pattern = (^|/)(dist|vendor)/
|
|
# Local config file with allowlist patterns.
|
|
pattern = (^|/)\.detect-secrets\.cfg$
|
|
|
|
[exclude-lines]
|
|
# Fastlane checks for private key marker; not a real key.
|
|
pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)
|
|
# UI label string for Anthropic auth mode.
|
|
pattern = case \.apiKeyEnv: "API key \(env var\)"
|
|
# CodingKeys mapping uses apiKey literal.
|
|
pattern = case apikey = "apiKey"
|
|
# Schema labels referencing password fields (not actual secrets).
|
|
pattern = "gateway\.remote\.password"
|
|
pattern = "gateway\.auth\.password"
|
|
# Schema label for talk API key (label text only).
|
|
pattern = "talk\.apiKey"
|
|
# checking for typeof is not something we care about.
|
|
pattern = === "string"
|
|
# specific optional-chaining password check that didn't match the line above.
|
|
pattern = typeof remote\?\.password === "string"
|